diff --git a/.github/workflows/check-audit.yml b/.github/workflows/check-audit.yml index 56ae008e..95b39283 100644 --- a/.github/workflows/check-audit.yml +++ b/.github/workflows/check-audit.yml @@ -43,6 +43,11 @@ jobs: $PSVersionTable.PSVersion shell: powershell + - name: Run congiure command(PowerShell 5.1) + run: | + ./WELA.ps1 configure -Baseline YamatoSecurity -Auto + shell: powershell + - name: Run WELA.ps1 audit-settings(PowerShell 5.1) run: | ./WELA.ps1 audit-settings @@ -61,4 +66,4 @@ jobs: - name: Output UnUsableRules.csv(PowerShell 5.1) run: | Get-Content UnusableRules.csv - shell: powershell \ No newline at end of file + shell: powershell diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index cedca664..64488cea 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -5,6 +5,7 @@ **新機能:** - MITRE ATT&CK Navigatorヒートマップに対応した。 (#11) (@fukusuket) +- Windows設定を様々なベースラインに構成するための`configure`コマンドを追加した。 (#12) (@fukusuket) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 5759f327..f20f45f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ **New Features:** - Support for MITRE ATT&CK Navigator heatmaps. (#11) (@fukusuket) +- Added a `configure` command to configure Windows settings to various baselines. (#12) (@fukusuket) **Bug Fixes:** diff --git a/WELA.ps1 b/WELA.ps1 index 1127a00b..cfe5709d 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1,8 +1,9 @@ param ( [string]$Cmd, [string]$OutType = "std", - [string]$Baseline = "YamatoSecurity", - [bool]$Debug = $false + [bool]$Debug = $false, + [string]$Baseline, + [switch]$Auto ) class WELA { @@ -5173,15 +5174,22 @@ function AuditLogSetting { } $auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, DefaultSetting, CurrentSetting, RecommendedSetting, Volume, Note | Export-Csv -Path "WELA-Audit-Result.csv" -NoTypeInformation Write-Output "Audit check result saved to: WELA-Audit-Result.csv" - } elseif ($outType -eq "gui") { - $auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, DefaultSetting, CurrentSetting, RecommendedSetting, Volume, Note | Out-GridView -Title "WELA Audit Result" } elseif ($outType -eq "table") { $auditResult | Select-Object -Property Category, SubCategory, RuleCount, DefaultSetting, CurrentSetting, RecommendedSetting, Volume | Format-Table } + $usableRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.applicable -eq $true } $unUsableRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.applicable -eq $false } $usableRules | Select-Object title, level, service, category, description, id | Export-Csv -Path "UsableRules.csv" -NoTypeInformation $unusableRules | Select-Object title, level, service, category, description, id | Export-Csv -Path "UnusableRules.csv" -NoTypeInformation + + if ($outType -eq "gui") { + $usableRules | Select-Object title, level, service, category, description, id | Out-GridView -Title "Usable Detection Rules" + $unUsableRules | Select-Object title, level, service, category, description, id | Out-GridView -Title "Unusable Detection Rules" + $auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, DefaultSetting, CurrentSetting, RecommendedSetting, Volume, Note | Out-GridView -Title "WELA Audit Result" + Write-Output "Audit check result saved to: WELA-Audit-Result.csv" + } + Write-Output "Usable detection rules list saved to: UsableRules.csv" Write-Output "Unusable detection rules list saved to: UnusableRules.csv" @@ -5191,7 +5199,6 @@ function AuditLogSetting { Export-MitreHeatmap -sigmaRules $sigma_rules -OutputPath "mitre-ttp-navigator-ideal.json" -UseIdealCount $true Write-Output "MITRE ATT&CK Navigator data(based on ideal settings) saved to: mitre-ttp-navigator-ideal.json" - $totalRulesCount = $auditResult | Select-Object -ExpandProperty Rules | Measure-Object | Select-Object -ExpandProperty Count $usableRulesCount = $usableRules | Measure-Object | Select-Object -ExpandProperty Count $utilizationPercentage = "{0:N2}" -f (($usableRulesCount / $totalRulesCount) * 100) @@ -5417,6 +5424,367 @@ function UpdateRules { } } +function ConfigureAuditSettings { + param ( + [string] $Baseline = "YamatoSecurity", + [switch] $Auto + ) + + # 管理者権限の確認 + if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { + Write-Error "This script requires Administrator privileges" + exit 1 + } + + + + $autidpolTxt = "./auditpol.txt" + if (-not $debug) { + Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt + } + + # ログサイズ定数 + $oneGB = 1073741824 + $oneTwentyEightMB = 134217728 + + # セキュリティおよびPowerShellログを1GBに設定 + Write-Host "Configuring Event Logs..." + Write-Host "" + $largeLogs = @( + "Security", + "Microsoft-Windows-PowerShell/Operational", + "Windows PowerShell" + ) + + foreach ($log in $largeLogs) { + try { + $logInfo = Get-WinEvent -ListLog $log -ErrorAction Stop + $currentSize = [math]::Floor($logInfo.MaximumSizeInBytes / 1MB) + $newSize = 1024 + Write-Host "Log: $log" + if ($currentSize -ge $newSize) { + Write-Host "[SKIPPED] $log : Current size ($currentSize MB) is already greater than or equal to $newSize MB." -ForegroundColor Yellow + Write-Host "" + continue + } + if ($Auto) { + $response = "Y" + } else { + $response = Read-Host "Your current setting is $currentSize MB. Do you want to change it to 1024 MB? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { + wevtutil sl $log /ms:$oneGB 2>&1 | Out-Null + Write-Host "[OK] $log : 1024 MB" -ForegroundColor Green + } else { + Write-Host "[SKIPPED] $log" -ForegroundColor Yellow + } + } + catch { + Write-Host "[ERROR] $log : $_" -ForegroundColor Red + } + Write-Host "" + } + + # その他の重要なログを128MBに設定 + $mediumLogs = @( + "System", + "Application", + "Microsoft-Windows-Windows Defender/Operational", + "Microsoft-Windows-Bits-Client/Operational", + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "Microsoft-Windows-NTLM/Operational", + "Microsoft-Windows-Security-Mitigations/KernelMode", + "Microsoft-Windows-Security-Mitigations/UserMode", + "Microsoft-Windows-PrintService/Admin", + "Microsoft-Windows-PrintService/Operational", + "Microsoft-Windows-SmbClient/Security", + "Microsoft-Windows-AppLocker/MSI and Script", + "Microsoft-Windows-AppLocker/EXE and DLL", + "Microsoft-Windows-AppLocker/Packaged app-Deployment", + "Microsoft-Windows-AppLocker/Packaged app-Execution", + "Microsoft-Windows-CodeIntegrity/Operational", + "Microsoft-Windows-Diagnosis-Scripted/Operational", + "Microsoft-Windows-DriverFrameworks-UserMode/Operational", + "Microsoft-Windows-WMI-Activity/Operational", + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", + "Microsoft-Windows-TaskScheduler/Operational" + ) + + foreach ($log in $mediumLogs) { + try { + $logInfo = Get-WinEvent -ListLog $log -ErrorAction Stop + $currentSize = [math]::Floor($logInfo.MaximumSizeInBytes / 1MB) + $newSize = 128 + Write-Host "Log: $log" + if ($currentSize -ge $newSize) { + Write-Host "[SKIPPED] $log : Current size ($currentSize MB) is already greater than or equal to $newSize MB." -ForegroundColor Yellow + Write-Host "" + continue + } + if ($Auto) { + $response = "Y" + } else { + $response = Read-Host "Your current setting is $currentSize MB. Do you want to change it to 128 MB? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { + wevtutil sl $log /ms:$oneTwentyEightMB 2>&1 | Out-Null + Write-Host "[OK] $log : 128 MB" -ForegroundColor Green + } else { + Write-Host "[SKIPPED] $log" -ForegroundColor Yellow + } + } + catch { + Write-Host "[ERROR] $log : $_" -ForegroundColor Red + } + Write-Host "" + } + + # 特定のログの有効化 + Write-Host "Enabling Event Logs..." + Write-Host "" + foreach ($log in @("Microsoft-Windows-TaskScheduler/Operational", "Microsoft-Windows-DriverFrameworks-UserMode/Operational")) { + try { + $logInfo = Get-WinEvent -ListLog $log -ErrorAction Stop + $currentState = if ($logInfo.IsEnabled) { "Enabled" } else { "Disabled" } + $newState = "Enabled" + Write-Host "Log: $log" + if ($currentState -eq $newState) { + Write-Host "[SKIPPED] $log : Already Enabled." -ForegroundColor Yellow + Write-Host "" + continue + } + if ($Auto) { + $response = "Y" + } else { + $response = Read-Host "Your current setting is $currentState. Do you want to change it to Enabled? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { + wevtutil sl $log /e:true 2>&1 | Out-Null + Write-Host "[OK] Enabled: $log" -ForegroundColor Green + } else { + Write-Host "[SKIPPED] $log" -ForegroundColor Yellow + } + } + catch { + Write-Host "[ERROR] Failed to enable $log : $_" -ForegroundColor Red + } + Write-Host "" + } + + # PowerShell ロギングの設定 + Write-Host "Configuring PowerShell Logging..." + Write-Host "" + $regPaths = @( + @{Path = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"; Name = "EnableModuleLogging"; Value = 1}, + @{Path = "HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"; Name = "EnableScriptBlockLogging"; Value = 1} + ) + + foreach ($reg in $regPaths) { + try { + $currentValue = "Not Set" + if (Test-Path $reg.Path) { + $prop = Get-ItemProperty -Path $reg.Path -Name $reg.Name -ErrorAction SilentlyContinue + if ($prop) { + $currentValue = $prop.$($reg.Name) + } + } + Write-Host "Registry: $($reg.Path) Value: $($reg.Name)" + if ($currentValue -eq $reg.Value) { + Write-Host "[SKIPPED] $($reg.Name) : Already set to $($reg.Value)." -ForegroundColor Yellow + Write-Host "" + continue + } + if ($Auto) { + $response = "Y" + } else { + $response = Read-Host "Your current setting is $currentValue. Do you want to change it to $( $reg.Value )? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { + New-Item -Path $reg.Path -Force | Out-Null + Set-ItemProperty -Path $reg.Path -Name $reg.Name -Value $reg.Value -Type DWord + Write-Host "[OK] Set $($reg.Name)" -ForegroundColor Green + } else { + Write-Host "[SKIPPED] $($reg.Name)" -ForegroundColor Yellow + } + } + catch { + Write-Host "[ERROR] Failed to set registry: $_" -ForegroundColor Red + } + Write-Host "" + } + + # モジュール名レジストリの設定 + try { + $moduleLoggingPath = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" + $currentValue = "Not Set" + if (Test-Path $moduleLoggingPath) { + $prop = Get-ItemProperty -Path $moduleLoggingPath -Name "*" -ErrorAction SilentlyContinue + if ($prop) { + $currentValue = $prop."*" + } + } + Write-Host "Registry: $moduleLoggingPath" + if ($currentValue -eq "*") { + Write-Host "[SKIPPED] Module logging : Already set to * (all modules)." -ForegroundColor Yellow + Write-Host "" + } else + { + if ($Auto) + { + $response = "Y" + } + else + { + $response = Read-Host "Your current setting is $currentValue. Do you want to change it to * (all modules)? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") + { + New-Item -Path $moduleLoggingPath -Force | Out-Null + Set-ItemProperty -Path $moduleLoggingPath -Name "*" -Value "*" -Type String + Write-Host "[OK] Module logging enabled for all modules" -ForegroundColor Green + } + else + { + Write-Host "[SKIPPED] Module logging" -ForegroundColor Yellow + } + } + } + catch { + Write-Host "[ERROR] Failed to configure module names: $_" -ForegroundColor Red + } + Write-Host "" + + # コマンドライン監査の有効化 + Write-Host "Enabling Command Line Auditing..." + Write-Host "" + $regPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" + $valueName = "ProcessCreationIncludeCmdLine_Enabled" + try { + $currentValue = "Not Set" + if (Test-Path $regPath) { + $prop = Get-ItemProperty -Path $regPath -Name $valueName -ErrorAction SilentlyContinue + $currentValue = $prop.$valueName + } + Write-Host "Registry: $regPath" + if ($currentValue -eq 1) { + Write-Host "[SKIPPED] Command Line Auditing : Already Enabled." -ForegroundColor Yellow + Write-Host "" + } else + { + if ($Auto) + { + $response = "Y" + } + else + { + $response = Read-Host "Your current setting is $currentValue. Do you want to change it to 1 (Enabled)? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") + { + $regPath = $regPath -replace "HKLM:", "HKLM" + $arguments = "add $regPath /v $valueName /f /t REG_DWORD /d 1" + $process = Start-Process -FilePath "reg.exe" -ArgumentList $arguments -Wait -PassThru -NoNewWindow -RedirectStandardOutput "NUL" + if ($process.ExitCode -eq 0) + { + Write-Host "[OK] Command line auditing enabled" -ForegroundColor Green + } + else + { + Write-Host "[ERROR] Command line auditing failed (ExitCode: $( $process.ExitCode ))" -ForegroundColor Red + } + } + else + { + Write-Host "[SKIPPED] Command line auditing" -ForegroundColor Yellow + } + } + } + catch { + Write-Host "[ERROR] Failed to check command line auditing: $_" -ForegroundColor Red + } + Write-Host "" + + # 監査ポリシーの設定 + Write-Host "Configuring Audit Policies..." + Write-Host "" + $auditPolicies = @( + @{Category = "Account Logon"; Name = "Credential Validation"; GUID = "0CCE923F-69AE-11D9-BED3-505054503030"}, + @{Category = "Account Logon"; Name = "Kerberos Authentication Service"; GUID = "0CCE9242-69AE-11D9-BED3-505054503030"}, + @{Category = "Account Logon"; Name = "Kerberos Service Ticket Operations"; GUID = "0CCE9240-69AE-11D9-BED3-505054503030"}, + @{Category = "Account Management"; Name = "Computer Account Management"; GUID = "0CCE9236-69AE-11D9-BED3-505054503030"}, + @{Category = "Account Management"; Name = "Other Account Management Events"; GUID = "0CCE923A-69AE-11D9-BED3-505054503030"}, + @{Category = "Account Management"; Name = "Security Group Management"; GUID = "0CCE9237-69AE-11D9-BED3-505054503030"}, + @{Category = "Account Management"; Name = "User Account Management"; GUID = "0CCE9235-69AE-11D9-BED3-505054503030"}, + @{Category = "Detailed Tracking"; Name = "Plug and Play"; GUID = "0cce9248-69ae-11d9-bed3-505054503030"}, + @{Category = "Detailed Tracking"; Name = "Process Creation"; GUID = "0CCE922B-69AE-11D9-BED3-505054503030"}, + @{Category = "Detailed Tracking"; Name = "RPC Events"; GUID = "0CCE922E-69AE-11D9-BED3-505054503030"}, + @{Category = "DS Access"; Name = "Directory Service Access"; GUID = "0CCE923B-69AE-11D9-BED3-505054503030"}, + @{Category = "DS Access"; Name = "Directory Service Changes"; GUID = "0CCE923C-69AE-11D9-BED3-505054503030"}, + @{Category = "Logon/Logoff"; Name = "Account Lockout"; GUID = "0CCE9217-69AE-11D9-BED3-505054503030"}, + @{Category = "Logon/Logoff"; Name = "Logoff"; GUID = "0CCE9216-69AE-11D9-BED3-505054503030"}, + @{Category = "Logon/Logoff"; Name = "Logon"; GUID = "0CCE9215-69AE-11D9-BED3-505054503030"}, + @{Category = "Logon/Logoff"; Name = "Other Logon/Logoff Events"; GUID = "0CCE921C-69AE-11D9-BED3-505054503030"}, + @{Category = "Logon/Logoff"; Name = "Special Logon"; GUID = "0CCE921B-69AE-11D9-BED3-505054503030"}, + @{Category = "Object Access"; Name = "Certification Services"; GUID = "0CCE9221-69AE-11D9-BED3-505054503030"}, + @{Category = "Object Access"; Name = "File Share"; GUID = "0CCE9224-69AE-11D9-BED3-505054503030"}, + @{Category = "Object Access"; Name = "Filtering Platform Connection"; GUID = "0CCE9226-69AE-11D9-BED3-505054503030"}, + @{Category = "Object Access"; Name = "Other Object Access Events"; GUID = "0CCE9227-69AE-11D9-BED3-505054503030"}, + @{Category = "Object Access"; Name = "Removable Storage"; GUID = "0CCE9245-69AE-11D9-BED3-505054503030"}, + @{Category = "Object Access"; Name = "SAM"; GUID = "0CCE9220-69AE-11D9-BED3-505054503030"}, + @{Category = "Policy Change"; Name = "Audit Policy Change"; GUID = "0CCE922F-69AE-11D9-BED3-505054503030"}, + @{Category = "Policy Change"; Name = "Authentication Policy Change"; GUID = "0CCE9230-69AE-11D9-BED3-505054503030"}, + @{Category = "Policy Change"; Name = "Other Policy Change Events"; GUID = "0CCE9234-69AE-11D9-BED3-505054503030"}, + @{Category = "Privilege Use"; Name = "Sensitive Privilege Use"; GUID = "0CCE9228-69AE-11D9-BED3-505054503030"}, + @{Category = "System"; Name = "Security State Change"; GUID = "0CCE9210-69AE-11D9-BED3-505054503030"}, + @{Category = "System"; Name = "Security System Extension"; GUID = "0CCE9211-69AE-11D9-BED3-505054503030"}, + @{Category = "System"; Name = "System Integrity"; GUID = "0CCE9212-69AE-11D9-BED3-505054503030"}, + @{Category = "System"; Name = "Other System Events"; GUID = "0CCE9214-69AE-11D9-BED3-505054503030"} + ) + + $currentAuditPol = GetAuditpol + + foreach ($policy in $auditPolicies) + { + $newSetting = "Success and Failure" + $currentSetting = if ($currentAuditPol.ContainsKey($policy.GUID)) + { + $currentAuditPol[$policy.GUID] + } + else + { + "Unknown" + } + + Write-Host "Audit Policy: $( $policy.Category ) - $( $policy.Name )" + if ($currentSetting -eq $newSetting) + { + Write-Host "[SKIPPED] $( $policy.Category ) - $( $policy.Name ) : Already set to $newSetting." -ForegroundColor Yellow + Write-Host "" + continue + } + if ($Auto) { + $response = "Y" + } else { + $response = Read-Host "Your current setting is $currentSetting. Do you want to change it to $newSetting? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { + $arguments = "/set /subcategory:{$($policy.GUID)} /success:enable /failure:enable" + $process = Start-Process -FilePath "auditpol.exe" -ArgumentList $arguments -Wait -PassThru -NoNewWindow -RedirectStandardOutput "NUL" + + if ($process.ExitCode -eq 0) { + Write-Host "[OK] $($policy.Category) - $($policy.Name)" -ForegroundColor Green + } + else { + Write-Host "[ERROR] $($policy.Category) - $($policy.Name) (ExitCode: $($process.ExitCode))" -ForegroundColor Red + } + } else { + Write-Host "[SKIPPED] $($policy.Category) - $($policy.Name)" -ForegroundColor Yellow + } + Write-Host "" + } + Write-Host "Configuration completed successfully" -ForegroundColor Green +} + $logo = @" ┏┓┏┓┏┳━━━┳┓ ┏━━━┓ ┃┃┃┃┃┃┏━━┫┃ ┃┏━┓┃ @@ -5433,6 +5801,8 @@ Usage: ./WELA.ps1 audit-settings -Baseline YamatoSecurity # Audit current setting and show in stdout, save to csv ./WELA.ps1 audit-settings -Baseline ASD -OutType gui # Audit current setting and show in gui, save to csv ./WELA.ps1 audit-filesize -Baseline YamatoSecurity # Audit current file size and show in stdout, save to csv + ./WELA.ps1 configure -Baseline YamatoSecurity # Configure audit settings based on the specified baseline + ./WELA.ps1 configure -Baseline YamatoSecurity -Auto # Configure audit settings automatically without prompts ./WELA.ps1 update-rules # Update rule config files from https://github.com/Yamato-Security/WELA ./WELA.ps1 help # Show this help "@ @@ -5443,6 +5813,9 @@ Write-Host $logo -ForegroundColor Green switch ($Cmd.ToLower()) { "audit-settings" { + if ([string]::IsNullOrEmpty($Baseline)) { + $Baseline = "YamatoSecurity" + } $validGuides = @("YamatoSecurity", "ASD", "Microsoft_Client", "Microsoft_Server") if (-not ($validGuides -contains $Baseline.ToLower())) { Write-Host "Invalid Guide specified. Valid options are: YamatoSecurity, ASD, Microsoft_Client, Microsoft_Server." @@ -5454,6 +5827,19 @@ switch ($Cmd.ToLower()) { AuditFileSize } + "configure" { + if ([string]::IsNullOrEmpty($Baseline)) { + Write-Host "You need to specify a baseline. The following baselines are available:" + Write-Host " * YamatoSecurity" + Write-Host "" + Write-Host "Examples: " + Write-Host "./WELA.ps1 configure -Baseline YamatoSecurity" + Write-Host "./WELA.ps1 configure -Baseline YamatoSecurity -Auto" + break + } + ConfigureAuditSettings -Baseline $Baseline -Auto:$Auto + } + "update-rules" { UpdateRules }