diff --git a/WELA.ps1 b/WELA.ps1 index 7d884f82..232468ee 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -68,6 +68,7 @@ $totalUsablePwsModRate = CalculateTotalUsableRate -usableRate $usablePwsModRate $totalUsablePwsScrRate = CalculateTotalUsableRate -usableRate $usablePwsScrRate ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)" +ShowVerboseSecurity ShowRulesCountsByLevel -usableRate $usablePwsClaRate -msg "PowerShell classic logging detection rules: " -colorMsg "$totalUsablePwsClaRate (Enabled)" ShowRulesCountsByLevel -usableRate $usablePwsModRate -msg "PowerShell module logging detection rules: " -colorMsg "$totalUsablePwsModRate ($pwsModStatus)" ShowRulesCountsByLevel -usableRate $usablePwsScrRate -msg "PowerShell script block logging detection rules: " -colorMsg "$totalUsablePwsScrRate ($pwsSrcStatus)" diff --git a/WELAAuditMsg.psm1 b/WELAAuditMsg.psm1 new file mode 100644 index 00000000..670c44fe --- /dev/null +++ b/WELAAuditMsg.psm1 @@ -0,0 +1,191 @@ +function ShowVerboseSecurity { + $msg = @" +Account Logon + - Credential Validation $m_credential_validation + - Volume: ``Depends on NTLM usage. Could be high on DCs and low on clients and servers.`` + - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success`` + - Recommended settings: ``Client and Server OSes: Success and Failure`` + - Kerberos Authentication Service $m_kerberos_authentication_service + - Volume: ``High`` + - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success`` + - Recommended settings: ``Client OS: No Auditing`` | ``Server OS: Success and Failure`` + - Kerberos Service Ticket Operations $m_kerberos_sevice_ticket_operations + - Volume: ``High`` + - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success`` + - Recommended settings: ``Domain Controllers: Success and Failure`` +Account Management + - Computer Account Management $m_computer_account_management + - Volume: ``Low`` + - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success Only`` + - Recommended settings: ``Domain Controllers: Success and Failure`` + - Other Account Management Events $m_other_account_management + - Volume: ``Low`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` + - Security Group Management $m_security_group_management + - Volume: ``Low`` + - Default settings: ``Success`` + - Recommended settings: ``Success and Failure`` + - User Account Management $m_user_account_management + - Volume: ``Low`` + - Default settings: ``Success`` + - Recommended settings: ``Success and Failure`` +Detailed Tracking + - Plug and Play Events $m_plug_and_play_events + - Volume: ``Typcially low`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` + - Process Creation $m_process_creation + - Volume: ``High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` if sysmon is not configured. + - Process Termination $m_process_termination + - Volume: ``High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``No Auditing`` unless you want to track the lifespan of processes. + - RPC (Remote Procedure Call) Events $m_rpc_events + - Volume: ``High on RPC servers`` (According to Microsoft) + - Default settings: ``No Auditing`` + - Recommended settings: ``Unknown. Needs testing.`` + - Token Right Adjusted Events $m_token_right_adjusted_events + - Volume: ``Unknown`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Unknown. Needs testing.`` +DS (Directory Service) Access + - Directory Service Access $m_directory_service_access + - Volume: ``High`` + - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success`` + - Recommended settings: ``Client OS: No Auditing`` | ``ADDS Server: Success and Failure`` + - Directory Service Changes + - Volume: ``High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Client OS: No Auditing`` | ``ADDS Server: Success and Failure`` +Logon/Logoff + - Account Lockout $m_account_lockout + - Volume: ``Low`` + - Default settings: ``Success`` + - Recommended settings: ``Success and Failure`` + - Group Membership + - Volume: Adds an extra ``4627`` event to every logon. + - Default settings: ``No Auditing`` + - Recommended settings: ``No Auditing`` + - Logoff $m_logoff + - Volume: ``High`` + - Default settings: ``Success`` + - Recommended settings: ``Success`` + - Logon $m_logon + - Volume: ``Low on clients, medium on DCs or network servers`` + - Default settings: ``Client OS: Success`` | ``Server OS: Success and Failure`` + - Recommended settings: ``Success and Failure`` + - Other Logon/Logoff Events $m_other_logon_logoff_events + - Volume: ``Low`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` + - Special Logon $m_special_logon + - Volume: ``Low on clients. Medium on DC or network servers.`` + - Default settings: ``Success`` + - Recommended settings: ``Success and Failure`` +Object Access + - Certification Services $m_certification_services + - Volume: ``Low to medium`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` for AD CS role servers. + - Detailed File Share $m_detailed_file_share + - Volume: ``Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement.`` + - Default settings: ``No Auditing`` + - Recommended settings: ``No Auditing`` due to the high noise level. Enable if you can though. + - File Share $m_file_share + - Volume: ``High for file servers and DCs.`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` + - File System $m_file_system + - Volume: ``Depends on SACL rules`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Enable SACLs just for sensitive files`` + - Filtering Platform Connection $m_filtering_platform_connection + - Volume: ``High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. + - Filtering Platform Packet Drop $m_filtering_platform_packet_drop + - Volume: ``High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. + - Kernel Object $m_kernel_object + - Volume: ``High if auditing access of global object access is enabled`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` but do not enable ``Audit the access of global system objects`` as you will generate too many ``4663: Object Access`` events. + - Handle Manipulation $m_handle_manipulation + - Volume: ``High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` + - Other Object Access Events $m_other_object_access_events + - Volume: ``Low`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` + - Registry $m_registry + - Volume: ``Depends on SACLs`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Set SACLs for only the registry keys that you want to monitor`` + - Removable Storage $m_removable_storage + - Volume: ``Depends on how much removable storage is used`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` if you want to monitor external device usage. + - SAM $m_sam + - Volume: ``High volume of events on Domain Controllers`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` if you can but may cause too high volume of noise so should be tested beforehand. +Policy Change + - Audit Policy Change $m_audit_policy_change + - Volume: ``Low`` + - Default settings: ``Success`` + - Recommended settings: ``Success and Failure`` + - Authentication Policy Change $m_authentication_policy_change + - Volume: ``Low`` + - Default settings: ``Success`` + - Recommended settings: ``Success and Failure`` + - Authorization Policy Change $m_authorization_policy_change + - Volume: ``Medium to High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Unknown. Needs testing.`` + - Filtering Platform Policy Change $m_filtering_platform_policy_change + - Volume: ``Low`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Unknown, Needs testing.`` + - MPSSVC Rule-Level Policy Change $m_mpssvc_rule_level_policy_change + - Volume: ``Low`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Unknown. Needs testing.`` + - Other Policy Change Events $m_other_policy_change_events + - Volume: ``Low`` + - Default settings: ``No Auditing`` + - Recommended settings: ``No Auditing`` (Note: ACSC recommends ``Success and Failure``, however, this results in a lot of noise of ``5447 (A Windows Filtering Platform filter has been changed)`` events being generated.) +Privilege Use + - Non Sensitive Use Events $m_non_sensitive_use_events + - Volume: ``Very high`` + - Default settings: ``No Auditing`` + - Recommended settings: ``No Auditing`` + - Sensitive Privilege Use $m_sensitive_privilege_use + - Volume: ``High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` However, this may be too noisy. +System + - Other System Events $m_other_system_events + - Volume: ``Low`` + - Default settings: ``Success and Failure`` + - Recommended settings: ``Unknown. Needs testing.`` + - Security State Change $m_security_state_change + - Volume: ``Low`` + - Default settings: ``Success`` + - Recommended settings: ``Success and Failure`` + - Security System Extension $m_security_system_extension + - Volume: ``Low, but more on DCs`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` + - System Integrity $m_system_integrity + - Volume: ``Low`` + - Default settings: ``Sucess, Failure`` + - Recommended settings: ``Success and Failure`` +"@ + Write-Host $msg +} + diff --git a/WELAFunctions.psm1 b/WELAFunctions.psm1 index 005aca1d..64e2bcbe 100644 --- a/WELAFunctions.psm1 +++ b/WELAFunctions.psm1 @@ -220,8 +220,4 @@ function Test-IsAdministrator { return (New-Object Security.Principal.WindowsPrincipal($currentUser)).IsInRole($adminRole) } -if (-not (Test-IsAdministrator)) { - Write-Output "This script must be run as an Administrator." - exit -}