From a8c8db78039ff4b38a2a20d6df093c28effb0f0b Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 9 May 2025 17:49:51 +0900 Subject: [PATCH 1/7] feat: add audit-settigs cmd option guide --- WELA.ps1 | 3560 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 3499 insertions(+), 61 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 64017b01..8836a636 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1,4 +1,11 @@ -class WELA { +param ( + [string]$Cmd, + [string]$OutType = "std", + [string]$Guide = "YamatoSecurity", + [bool]$Debug = $false +) + +class WELA { static [array] $Levels = @('critical', 'high', 'medium', 'low', 'informational') [string] $Category [string] $SubCategory @@ -184,46 +191,12 @@ function CheckRegistryValue { return $false } } - -function AuditLogSetting { +function GuideYamatoSecurity +{ param ( - [string] $outType, - [bool] $debug + [object[]] $all_rules ) - $autidpolTxt = "./auditpol.txt" - if (-not $debug) { - Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt - } - $enabledguid = [System.Collections.Generic.HashSet[string]]::new() - Get-Content -Path $autidpolTxt | Select-String -NotMatch "No Auditing" | ForEach-Object { - if ($_ -match '{(.*?)}') { - [void]$enabledguid.Add($matches[1]) - } - } - $all_rules = Get-Content -Path "config/security_rules.json" -Raw | ConvertFrom-Json - $all_rules | ForEach-Object { - $_ | Add-Member -MemberType NoteProperty -Name "applicable" -Value $false - } $auditResult = @() - - # Application - $guid = "" - $eids = @() - $channels = @("Application") - $enabled = $true - $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } - $rules | ForEach-Object { $_.applicable = $enabled } - $auditResult += [WELA]::New( - "Application", - "", - $enabled, - [array]$rules, - "Enabled", - "Enabled", - "", - "" - ) - # Applocker $guid = "" $eids = @() @@ -1344,6 +1317,3482 @@ function AuditLogSetting { "", "" ) + return $auditResult +} + +function GuideASD { + param ( + [object[]] $all_rules + ) + + $auditResult = @() + # Application + $guid = "" + $eids = @() + $channels = @("Application") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Application", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Applocker + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-AppLocker/MSI and Script", "Microsoft-Windows-AppLocker/EXE and DLL", "Microsoft-Windows-AppLocker/Packaged app-Deployment", "Microsoft-Windows-AppLocker/Packaged app-Execution") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Applocker", + "", + $enabled, + [array]$rules, + "Enabled", + "Enabled", + "", + "" + ) + + # Bits-Client Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Bits-Client/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Bits-Client Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # CodeIntegrity Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-CodeIntegrity/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "CodeIntegrity Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Diagnosis-Scripted Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Diagnosis-Scripted/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Diagnosis-Scripted Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # DriverFrameworks-UserMode Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-DriverFrameworks-UserMode/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "DriverFrameworks-UserMode Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Firewall + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Windows Firewall With Advanced Security/Firewall") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Firewall", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # NTLM Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Diagnosis-Scripted/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Microsoft-Windows-NTLM/Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # PowerShell + ## Classic + $guid = "" + $eids = @("400") + $channels = @("pwsh") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Classic", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + ## Module + $guid = "" + $eids = @("4103") + $channels = @("pwsh") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Module", + $enabled, + [array]$rules, + "No Auditing", + "Enabled", + "", + "" + ) + + ## ScriptBlock + $guid = "" + $eids = @("4104") + $channels = @("pwsh") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "ScriptBlock", + $enabled, + [array]$rules, + "Patially", + "Enabled", + "", + "" + ) + + # PrintService Admin + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-PrintService/Admin") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PrintService", + "PrintService Admin", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # PrintService Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-PrintService/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PrintService", + "PrintService Operational", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Security + ## Advanced + ### Account Logon + #### Credential Validation + $guid = "0CCE923F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Credential Validation", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "Success and Failure", + "", + "" + ) + + #### Kerberos Authentication Service + $guid = "0CCE9242-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Authentication Service", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + #### Kerberos Service Ticket Operations + $guid = "0CCE9240-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Service Ticket Operations", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + ### Account Management + #### Computer Account Management + $guid = "0CCE9236-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Computer Account Management", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "Success and Failure", + "", + "" + ) + + #### Other Account Management Events + $guid = "0CCE923A-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Other Account Management Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Security Group Management + $guid = "0CCE9237-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Security Group Management", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### User Account Management + $guid = "0CCE9235-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "User Account Management", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + ### Detailed Tracking + #### Plug and Play Events + $guid = "0CCE9248-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Plug and Play Events", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Process Creation + $guid = "0CCE922B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Creation", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "Include command line in process creation events" + ) + + #### Process Termination + $guid = "0CCE922C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Termination", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### RPC Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "RPC Events", + $enabled, + [array]$rules, + "No Auditing", + "No Auditing", + "", + "" + ) + + #### Token Right Adjusted Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Token Right Adjusted Events", + $enabled, + [array]$rules, + "No Auditing", + "No Auditing", + "", + "" + ) + + ### DS (Directory Service) Access + #### Directory Service Access + $guid = "0CCE923B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Access", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + #### Directory Service Changes + $guid = "0CCE923C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Changes", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### Logon/Logoff + #### Account Lockout + $guid = "0CCE9217-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Account Lockout", + $enabled, + [array]$rules, + "Success", + "Failure", + "", + "" + ) + + #### Group Membership + $guid = "0CCE9249-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### Logoff + $guid = "0CCE9216-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### Logon + $guid = "0CCE9215-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Logon", + $enabled, + [array]$rules, + "Client OS: Success | Server OS: Success and Failure", + "Success and Failure", + "", + "" + ) + + #### Other Logon/Logoff Events + $guid = "0CCE921C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Other Logon/Logoff Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Special Logon + $guid = "0CCE921B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Special Logon", + $enabled, + [array]$rules, + "Success", + "Success and Failure", + "", + "" + ) + + + ### Object Access + #### Certification Services + $guid = "0CCE9221-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Detailed File Share + $guid = "0CCE9244-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + [array]$rules, + "No Auditing", + "No Auditing", + "", + "Enabling this setting is not recommended due to the high noise level)" + ) + + #### File Share + $guid = "0CCE9224-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File Share", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### File System + $guid = "0CCE921D-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File System", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Connection + $guid = "0CCE9226-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Connection", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Packet Drop + $guid = "0CCE9225-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Packet Drop", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Kernel Object + $guid = "0CCE921F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Kernel Object", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Handle Manipulation + $guid = "0CCE9223-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Handle Manipulation", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Other Object Access Events + $guid = "0CCE9227-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Other Object Access Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Registry + $guid = "0CCE921E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Registry", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Removable Storage + $guid = "0CCE9245-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Removable Storage", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### SAM + $guid = "0CCE9220-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "SAM", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### Policy Change + #### Audit Policy Change + $guid = "0CCE922F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Audit Policy Change", + $enabled, + [array]$rules, + "Success", + "Success and Failure", + "", + "" + ) + + #### Authentication Policy Change + $guid = "0CCE9230-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authentication Policy Change", + $enabled, + [array]$rules, + "Success", + "", + "", + "" + ) + + #### Authorization Policy Change + $guid = "0CCE9231-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authorization Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Policy Change + $guid = "0CCE9233-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Filtering Platform Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### MPSSVC Rule-Level Policy Change + $guid = "0CCE9232-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "MPSSVC Rule-Level Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Other Policy Change Events + $guid = "0CCE9234-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Other Policy Change Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + ### Privilege Use + #### Non-Sensitive Privilege Use + $guid = "0CCE9229-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Non-Sensitive Privilege Use", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Sensitive Privilege Use + $guid = "0CCE9228-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Sensitive Privilege Use", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### System + #### Other System Events + $guid = "0CCE9214-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + [array]$rules, + "Success and Failure", + "", + "", + "" + ) + + #### Security State Change + $guid = "0CCE9210-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + [array]$rules, + "Success", + "", + "", + "" + ) + + #### Security System Extension + $guid = "0CCE9211-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Security System Extension", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### System Integrity + $guid = "0CCE9212-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "System Integrity", + $enabled, + [array]$rules, + "Success and Failure", + "Success and Failure", + "", + "" + ) + + # Security-Mitigations KernelMode + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Security-Mitigations*") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Security-Mitigations KernelMode", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Security-Mitigations UserMode + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Security-Mitigations*") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Security-Mitigations UserMode", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # SMBClient Security + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-SmbClient/Security") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "SMBClient Security", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # System + $guid = "" + $eids = @() + $channels = @("System") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "System", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # TaskScheduler Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-TaskScheduler/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "TaskScheduler Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # TerminalServices-LocalSessionManager Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-TerminalServices-LocalSessionManager/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "TerminalServices-LocalSessionManager Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # WMI-Activity Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-WMI-Activity/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "WMI-Activity Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Windows Defender Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Windows Defender/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Windows Defender Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + return $auditResult +} + +function GuideMSC { + param ( + [object[]] $all_rules + ) + + $auditResult = @() + # Application + $guid = "" + $eids = @() + $channels = @("Application") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Application", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Applocker + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-AppLocker/MSI and Script", "Microsoft-Windows-AppLocker/EXE and DLL", "Microsoft-Windows-AppLocker/Packaged app-Deployment", "Microsoft-Windows-AppLocker/Packaged app-Execution") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Applocker", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Bits-Client Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Bits-Client/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Bits-Client Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # CodeIntegrity Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-CodeIntegrity/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "CodeIntegrity Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Diagnosis-Scripted Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Diagnosis-Scripted/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Diagnosis-Scripted Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # DriverFrameworks-UserMode Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-DriverFrameworks-UserMode/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "DriverFrameworks-UserMode Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Firewall + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Windows Firewall With Advanced Security/Firewall") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Firewall", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # NTLM Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Diagnosis-Scripted/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Microsoft-Windows-NTLM/Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # PowerShell + ## Classic + $guid = "" + $eids = @("400") + $channels = @("pwsh") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Classic", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + ## Module + $guid = "" + $eids = @("4103") + $channels = @("pwsh") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Module", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ## ScriptBlock + $guid = "" + $eids = @("4104") + $channels = @("pwsh") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "ScriptBlock", + $enabled, + [array]$rules, + "Patially", + "", + "", + "" + ) + + # PrintService Admin + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-PrintService/Admin") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PrintService", + "PrintService Admin", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # PrintService Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-PrintService/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PrintService", + "PrintService Operational", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Security + ## Advanced + ### Account Logon + #### Credential Validation + $guid = "0CCE923F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Credential Validation", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "Success and Failure", + "", + "" + ) + + #### Kerberos Authentication Service + $guid = "0CCE9242-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Authentication Service", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + #### Kerberos Service Ticket Operations + $guid = "0CCE9240-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Service Ticket Operations", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + ### Account Management + #### Computer Account Management + $guid = "0CCE9236-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Computer Account Management", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "Success", + "", + "" + ) + + #### Other Account Management Events + $guid = "0CCE923A-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Other Account Management Events", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### Security Group Management + $guid = "0CCE9237-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Security Group Management", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### User Account Management + $guid = "0CCE9235-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "User Account Management", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + ### Detailed Tracking + #### Plug and Play Events + $guid = "0CCE9248-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Plug and Play Events", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Process Creation + $guid = "0CCE922B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Creation", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "Include command line in process creation events" + ) + + #### Process Termination + $guid = "0CCE922C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Termination", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### RPC Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "RPC Events", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Token Right Adjusted Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Token Right Adjusted Events", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### DS (Directory Service) Access + #### Directory Service Access + $guid = "0CCE923B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Access", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + #### Directory Service Changes + $guid = "0CCE923C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Changes", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### Logon/Logoff + #### Account Lockout + $guid = "0CCE9217-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Account Lockout", + $enabled, + [array]$rules, + "Success", + "Failure", + "", + "" + ) + + #### Group Membership + $guid = "0CCE9249-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### Logoff + $guid = "0CCE9216-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### Logon + $guid = "0CCE9215-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Logon", + $enabled, + [array]$rules, + "Client OS: Success | Server OS: Success and Failure", + "Success and Failure", + "", + "" + ) + + #### Other Logon/Logoff Events + $guid = "0CCE921C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Other Logon/Logoff Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Special Logon + $guid = "0CCE921B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Special Logon", + $enabled, + [array]$rules, + "Success", + "Success", + "", + "" + ) + + + ### Object Access + #### Certification Services + $guid = "0CCE9221-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Detailed File Share + $guid = "0CCE9244-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "Enabling this setting is not recommended due to the high noise level)" + ) + + #### File Share + $guid = "0CCE9224-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File Share", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### File System + $guid = "0CCE921D-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File System", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Connection + $guid = "0CCE9226-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Connection", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Packet Drop + $guid = "0CCE9225-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Packet Drop", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Kernel Object + $guid = "0CCE921F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Kernel Object", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Handle Manipulation + $guid = "0CCE9223-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Handle Manipulation", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Other Object Access Events + $guid = "0CCE9227-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Other Object Access Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Registry + $guid = "0CCE921E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Registry", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Removable Storage + $guid = "0CCE9245-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Removable Storage", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### SAM + $guid = "0CCE9220-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "SAM", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### Policy Change + #### Audit Policy Change + $guid = "0CCE922F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Audit Policy Change", + $enabled, + [array]$rules, + "Success", + "Success and Failure", + "", + "" + ) + + #### Authentication Policy Change + $guid = "0CCE9230-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authentication Policy Change", + $enabled, + [array]$rules, + "Success", + "Success", + "", + "" + ) + + #### Authorization Policy Change + $guid = "0CCE9231-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authorization Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Policy Change + $guid = "0CCE9233-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Filtering Platform Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### MPSSVC Rule-Level Policy Change + $guid = "0CCE9232-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "MPSSVC Rule-Level Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Other Policy Change Events + $guid = "0CCE9234-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Other Policy Change Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + ### Privilege Use + #### Non-Sensitive Privilege Use + $guid = "0CCE9229-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Non-Sensitive Privilege Use", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Sensitive Privilege Use + $guid = "0CCE9228-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Sensitive Privilege Use", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### System + #### Other System Events + $guid = "0CCE9214-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + [array]$rules, + "Success and Failure", + "", + "", + "" + ) + + #### Security State Change + $guid = "0CCE9210-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + [array]$rules, + "Success", + "Success and Failure", + "" + ) + + #### Security System Extension + $guid = "0CCE9211-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Security System Extension", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### System Integrity + $guid = "0CCE9212-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "System Integrity", + $enabled, + [array]$rules, + "Success and Failure", + "Success and Failure", + "", + "" + ) + + # Security-Mitigations KernelMode + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Security-Mitigations*") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Security-Mitigations KernelMode", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Security-Mitigations UserMode + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Security-Mitigations*") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Security-Mitigations UserMode", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # SMBClient Security + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-SmbClient/Security") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "SMBClient Security", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # System + $guid = "" + $eids = @() + $channels = @("System") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "System", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # TaskScheduler Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-TaskScheduler/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "TaskScheduler Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # TerminalServices-LocalSessionManager Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-TerminalServices-LocalSessionManager/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "TerminalServices-LocalSessionManager Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # WMI-Activity Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-WMI-Activity/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "WMI-Activity Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Windows Defender Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Windows Defender/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Windows Defender Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + return $auditResult +} + +function GuideMSS { + param ( + [object[]] $all_rules + ) + + $auditResult = @() + # Application + $guid = "" + $eids = @() + $channels = @("Application") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Application", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Applocker + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-AppLocker/MSI and Script", "Microsoft-Windows-AppLocker/EXE and DLL", "Microsoft-Windows-AppLocker/Packaged app-Deployment", "Microsoft-Windows-AppLocker/Packaged app-Execution") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Applocker", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Bits-Client Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Bits-Client/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Bits-Client Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # CodeIntegrity Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-CodeIntegrity/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "CodeIntegrity Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Diagnosis-Scripted Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Diagnosis-Scripted/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Diagnosis-Scripted Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # DriverFrameworks-UserMode Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-DriverFrameworks-UserMode/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "DriverFrameworks-UserMode Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Firewall + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Windows Firewall With Advanced Security/Firewall") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Firewall", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # NTLM Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Diagnosis-Scripted/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Microsoft-Windows-NTLM/Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # PowerShell + ## Classic + $guid = "" + $eids = @("400") + $channels = @("pwsh") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Classic", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + ## Module + $guid = "" + $eids = @("4103") + $channels = @("pwsh") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Module", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ## ScriptBlock + $guid = "" + $eids = @("4104") + $channels = @("pwsh") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "ScriptBlock", + $enabled, + [array]$rules, + "Patially", + "", + "", + "" + ) + + # PrintService Admin + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-PrintService/Admin") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PrintService", + "PrintService Admin", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # PrintService Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-PrintService/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PrintService", + "PrintService Operational", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Security + ## Advanced + ### Account Logon + #### Credential Validation + $guid = "0CCE923F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Credential Validation", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "Success and Failure", + "", + "" + ) + + #### Kerberos Authentication Service + $guid = "0CCE9242-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Authentication Service", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + #### Kerberos Service Ticket Operations + $guid = "0CCE9240-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Service Ticket Operations", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + ### Account Management + #### Computer Account Management + $guid = "0CCE9236-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Computer Account Management", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "Success and Failure", + "", + "" + ) + + #### Other Account Management Events + $guid = "0CCE923A-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Other Account Management Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Security Group Management + $guid = "0CCE9237-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Security Group Management", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### User Account Management + $guid = "0CCE9235-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "User Account Management", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + ### Detailed Tracking + #### Plug and Play Events + $guid = "0CCE9248-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Plug and Play Events", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Process Creation + $guid = "0CCE922B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Creation", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "Include command line in process creation events" + ) + + #### Process Termination + $guid = "0CCE922C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Termination", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### RPC Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "RPC Events", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Token Right Adjusted Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Token Right Adjusted Events", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### DS (Directory Service) Access + #### Directory Service Access + $guid = "0CCE923B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Access", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "Success and Failure", + "", + "" + ) + + #### Directory Service Changes + $guid = "0CCE923C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Changes", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + ### Logon/Logoff + #### Account Lockout + $guid = "0CCE9217-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Account Lockout", + $enabled, + [array]$rules, + "Success", + "Failure", + "", + "" + ) + + #### Group Membership + $guid = "0CCE9249-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### Logoff + $guid = "0CCE9216-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### Logon + $guid = "0CCE9215-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Logon", + $enabled, + [array]$rules, + "Client OS: Success | Server OS: Success and Failure", + "Success and Failure", + "", + "" + ) + + #### Other Logon/Logoff Events + $guid = "0CCE921C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Other Logon/Logoff Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Special Logon + $guid = "0CCE921B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Special Logon", + $enabled, + [array]$rules, + "Success", + "Success", + "", + "" + ) + + + ### Object Access + #### Certification Services + $guid = "0CCE9221-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Detailed File Share + $guid = "0CCE9244-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "Enabling this setting is not recommended due to the high noise level)" + ) + + #### File Share + $guid = "0CCE9224-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File Share", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### File System + $guid = "0CCE921D-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File System", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Connection + $guid = "0CCE9226-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Connection", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Packet Drop + $guid = "0CCE9225-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Packet Drop", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Kernel Object + $guid = "0CCE921F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Kernel Object", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Handle Manipulation + $guid = "0CCE9223-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Handle Manipulation", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Other Object Access Events + $guid = "0CCE9227-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Other Object Access Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Registry + $guid = "0CCE921E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Registry", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Removable Storage + $guid = "0CCE9245-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Removable Storage", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### SAM + $guid = "0CCE9220-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "SAM", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### Policy Change + #### Audit Policy Change + $guid = "0CCE922F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Audit Policy Change", + $enabled, + [array]$rules, + "Success", + "Success and Failure", + "", + "" + ) + + #### Authentication Policy Change + $guid = "0CCE9230-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authentication Policy Change", + $enabled, + [array]$rules, + "Success", + "Success", + "", + "" + ) + + #### Authorization Policy Change + $guid = "0CCE9231-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authorization Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Policy Change + $guid = "0CCE9233-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Filtering Platform Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### MPSSVC Rule-Level Policy Change + $guid = "0CCE9232-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "MPSSVC Rule-Level Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Other Policy Change Events + $guid = "0CCE9234-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Other Policy Change Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + ### Privilege Use + #### Non-Sensitive Privilege Use + $guid = "0CCE9229-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Non-Sensitive Privilege Use", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Sensitive Privilege Use + $guid = "0CCE9228-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Sensitive Privilege Use", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### System + #### Other System Events + $guid = "0CCE9214-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + [array]$rules, + "Success and Failure", + "", + "", + "" + ) + + #### Security State Change + $guid = "0CCE9210-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + [array]$rules, + "Success", + "Success and Failure", + "" + ) + + #### Security System Extension + $guid = "0CCE9211-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Security System Extension", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### System Integrity + $guid = "0CCE9212-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "System Integrity", + $enabled, + [array]$rules, + "Success and Failure", + "Success and Failure", + "", + "" + ) + + # Security-Mitigations KernelMode + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Security-Mitigations*") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Security-Mitigations KernelMode", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Security-Mitigations UserMode + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Security-Mitigations*") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Security-Mitigations UserMode", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # SMBClient Security + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-SmbClient/Security") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "SMBClient Security", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # System + $guid = "" + $eids = @() + $channels = @("System") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "System", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # TaskScheduler Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-TaskScheduler/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "TaskScheduler Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # TerminalServices-LocalSessionManager Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-TerminalServices-LocalSessionManager/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "TerminalServices-LocalSessionManager Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # WMI-Activity Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-WMI-Activity/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "WMI-Activity Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Windows Defender Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Windows Defender/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Windows Defender Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + return $auditResult +} + + + +function AuditLogSetting { + param ( + [string] $outType, + [string] $guide, + [bool] $debug + ) + + $autidpolTxt = "./auditpol.txt" + if (-not $debug) { + Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt + } + $enabledguid = [System.Collections.Generic.HashSet[string]]::new() + Get-Content -Path $autidpolTxt | Select-String -NotMatch "No Auditing" | ForEach-Object { + if ($_ -match '{(.*?)}') { + [void]$enabledguid.Add($matches[1]) + } + } + $all_rules = Get-Content -Path "config/security_rules.json" -Raw | ConvertFrom-Json + $all_rules | ForEach-Object { + $_ | Add-Member -MemberType NoteProperty -Name "applicable" -Value $false + } + $auditResult = @() + + if ($guide.ToLower() -eq "yamatosecurity") { + $auditResult = GuideYamatoSecurity $all_rules + } elseif ($guide.ToLower() -eq "asd") { + $auditResult = GuideASD $all_rules + } elseif ($guide.ToLower() -eq "microsoft_client") { + $auditResult = GuideMSC $all_rules + } elseif ($guide.ToLower() -eq "microsoft_server") { + $auditResult = GuideMSS $all_rules + } $auditResult | ForEach-Object { $_.SetApplicable($enabledguid) @@ -1555,36 +5004,25 @@ $logo = @" $help = @" Usage: - ./WELA.ps1 audit-settings # Audit current setting and show in stdout, save to csv - ./WELA.ps1 audit-settings gui # Audit current setting and show in gui, save to csv - ./WELA.ps1 audit-settings table # Audit current setting and show in table layout, save to csv - ./WELA.ps1 audit-filesize # Audit current file size and show in stdout, save to csv - ./WELA.ps1 update-rules # Update rule config files from https://github.com/Yamato-Security/WELA + ./WELA.ps1 -Cmd audit-settings -Guide YamatoSecurity # Audit current setting and show in stdout, save to csv + ./WELA.ps1 -Cmd audit-settings -Guide ASD -OutType gui # Audit current setting and show in gui, save to csv + ./WELA.ps1 -Cmd audit-filesize -Guide YamatoSecurity # Audit current file size and show in stdout, save to csv + ./WELA.ps1 -Cmd update-rules # Update rule config files from https://github.com/Yamato-Security/WELA ./WELA.ps1 help # Show this help "@ + [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 Write-Host $logo -ForegroundColor Green -if ($args.Count -eq 0) { - Write-Host $help - exit 1 -} - -$command = $args[0].ToLower() - -switch ($command) { +switch ($Cmd.ToLower()) { "audit-settings" { - $outType = "std" - $debug = $false - if ($args.Count -eq 2) { - $outType = $args[1].ToLower() + $validGuides = @("YamatoSecurity", "ASD", "Microsoft_Client", "Microsoft_Server") + if (-not ($validGuides -contains $Guide.ToLower())) { + Write-Host "Invalid Guide specified. Valid options are: YamatoSecurity, ASD, Microsoft_Client, Microsoft_Server." + break } - if ($args.Count -eq 3) { - $outType = $args[1].ToLower() - $debug = $args[2].ToLower() -eq "debug" - } - AuditLogSetting $outType $debug + AuditLogSetting $OutType $Guide $Debug } "audit-filesize" { AuditFileSize @@ -1593,11 +5031,11 @@ switch ($command) { "update-rules" { UpdateRules } - "help" { Write-Host $help } default { + Write-Host "Invalid command. Use 'help' to see available commands." Write-Host $help } } \ No newline at end of file From 10b2f9904773e698383cb6edc6ec4a9355d80b62 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 9 May 2025 22:00:11 +0900 Subject: [PATCH 2/7] feat: add audit-settigs cmd option guide --- WELA.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/WELA.ps1 b/WELA.ps1 index 8836a636..2dd3aaf3 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -3430,6 +3430,7 @@ function GuideMSC { [array]$rules, "Success", "Success and Failure", + "", "" ) From 963aabefdb410a1f08f7206acf4140074c16def8 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 9 May 2025 22:05:30 +0900 Subject: [PATCH 3/7] feat: add audit-settigs cmd option guide --- WELA.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/WELA.ps1 b/WELA.ps1 index 2dd3aaf3..e2b921dd 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -4577,6 +4577,7 @@ function GuideMSS { [array]$rules, "Success", "Success and Failure", + "", "" ) From ee52b0486dacf4b89516cd1132a8a9fafc1ef150 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 9 May 2025 23:24:43 +0900 Subject: [PATCH 4/7] chg: guide -> baseline --- WELA.ps1 | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index e2b921dd..e7e1fcb2 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1,7 +1,7 @@ param ( [string]$Cmd, [string]$OutType = "std", - [string]$Guide = "YamatoSecurity", + [string]$Baseline = "YamatoSecurity", [bool]$Debug = $false ) @@ -4766,7 +4766,7 @@ function GuideMSS { function AuditLogSetting { param ( [string] $outType, - [string] $guide, + [string] $Baseline, [bool] $debug ) @@ -4786,13 +4786,13 @@ function AuditLogSetting { } $auditResult = @() - if ($guide.ToLower() -eq "yamatosecurity") { + if ($Baseline.ToLower() -eq "yamatosecurity") { $auditResult = GuideYamatoSecurity $all_rules - } elseif ($guide.ToLower() -eq "asd") { + } elseif ($Baseline.ToLower() -eq "asd") { $auditResult = GuideASD $all_rules - } elseif ($guide.ToLower() -eq "microsoft_client") { + } elseif ($Baseline.ToLower() -eq "microsoft_client") { $auditResult = GuideMSC $all_rules - } elseif ($guide.ToLower() -eq "microsoft_server") { + } elseif ($Baseline.ToLower() -eq "microsoft_server") { $auditResult = GuideMSS $all_rules } @@ -5020,11 +5020,11 @@ Write-Host $logo -ForegroundColor Green switch ($Cmd.ToLower()) { "audit-settings" { $validGuides = @("YamatoSecurity", "ASD", "Microsoft_Client", "Microsoft_Server") - if (-not ($validGuides -contains $Guide.ToLower())) { + if (-not ($validGuides -contains $Baseline.ToLower())) { Write-Host "Invalid Guide specified. Valid options are: YamatoSecurity, ASD, Microsoft_Client, Microsoft_Server." break } - AuditLogSetting $OutType $Guide $Debug + AuditLogSetting $OutType $Baseline $Debug } "audit-filesize" { AuditFileSize From 00e64b5ec319340481b2215caeb6b656f5e8a884 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 9 May 2025 23:27:05 +0900 Subject: [PATCH 5/7] chg: guide -> baseline --- WELA.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index e7e1fcb2..fe787685 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5006,9 +5006,9 @@ $logo = @" $help = @" Usage: - ./WELA.ps1 -Cmd audit-settings -Guide YamatoSecurity # Audit current setting and show in stdout, save to csv - ./WELA.ps1 -Cmd audit-settings -Guide ASD -OutType gui # Audit current setting and show in gui, save to csv - ./WELA.ps1 -Cmd audit-filesize -Guide YamatoSecurity # Audit current file size and show in stdout, save to csv + ./WELA.ps1 -Cmd audit-settings -Baseline YamatoSecurity # Audit current setting and show in stdout, save to csv + ./WELA.ps1 -Cmd audit-settings -Baseline ASD -OutType gui # Audit current setting and show in gui, save to csv + ./WELA.ps1 -Cmd audit-filesize -Baseline YamatoSecurity # Audit current file size and show in stdout, save to csv ./WELA.ps1 -Cmd update-rules # Update rule config files from https://github.com/Yamato-Security/WELA ./WELA.ps1 help # Show this help "@ From 49a64bb9ca1efa14371570067563bd688647b8e3 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sat, 10 May 2025 08:33:27 +0900 Subject: [PATCH 6/7] fix: add Application --- WELA.ps1 | 21 ++++++++++++++++++ auditpol.txt | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 auditpol.txt diff --git a/WELA.ps1 b/WELA.ps1 index fe787685..35ac0e9a 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -197,6 +197,25 @@ function GuideYamatoSecurity [object[]] $all_rules ) $auditResult = @() + + # Application + $guid = "" + $eids = @() + $channels = @("Application") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Application", + "", + $enabled, + [array]$rules, + "Enabled", + "Enabled", + "", + "" + ) + # Applocker $guid = "" $eids = @() @@ -1326,6 +1345,7 @@ function GuideASD { ) $auditResult = @() + # Application $guid = "" $eids = @() @@ -2473,6 +2493,7 @@ function GuideMSC { ) $auditResult = @() + # Application $guid = "" $eids = @() diff --git a/auditpol.txt b/auditpol.txt new file mode 100644 index 00000000..65ee10b1 --- /dev/null +++ b/auditpol.txt @@ -0,0 +1,61 @@ +Active code page: 437 +Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting +SAMURAI,System, ,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE9212-69AE-11D9-BED3-505054503030},Success and Failure, +SAMURAI,System,IPsec ,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE9214-69AE-11D9-BED3-505054503030},Success and Failure, +SAMURAI,System,,{0CCE9210-69AE-11D9-BED3-505054503030},Success, +SAMURAI,System,,{0CCE9215-69AE-11D9-BED3-505054503030},Success and Failure, +SAMURAI,System,,{0CCE9216-69AE-11D9-BED3-505054503030},Success, +SAMURAI,System, ,{0CCE9217-69AE-11D9-BED3-505054503030},Success, +SAMURAI,System,IPsec ,{0CCE9218-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,IPsec ,{0CCE9219-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,IPsec ,{0CCE921A-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE921B-69AE-11D9-BED3-505054503030},Success, +SAMURAI,System,/ ,{0CCE921C-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE9243-69AE-11D9-BED3-505054503030},Success and Failure, +SAMURAI,System,/,{0CCE9247-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE9249-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE921D-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE921E-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE921F-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,SAM,{0CCE9220-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE9221-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE9222-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE9223-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE9224-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE9225-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE9226-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE9227-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE9244-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE9245-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE9246-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE9229-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE922A-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE9228-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE922B-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE922C-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,DPAPI ,{0CCE922D-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,RPC ,{0CCE922E-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE9248-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE924A-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE922F-69AE-11D9-BED3-505054503030},Success, +SAMURAI,System,,{0CCE9230-69AE-11D9-BED3-505054503030},Success, +SAMURAI,System,,{0CCE9231-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,MPSSVC ,{0CCE9232-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE9233-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE9234-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE9236-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE9237-69AE-11D9-BED3-505054503030},Success, +SAMURAI,System,,{0CCE9238-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE9239-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE923A-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE9235-69AE-11D9-BED3-505054503030},Success, +SAMURAI,System, ,{0CCE923B-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE923C-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE923D-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE923E-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,Kerberos ,{0CCE9240-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System, ,{0CCE9241-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,Kerberos ,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing, +SAMURAI,System,,{0CCE923F-69AE-11D9-BED3-505054503030},No Auditing, From 64e9f56e446ca787c1b5ac5e53913ea381f3e4cf Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sat, 10 May 2025 08:35:11 +0900 Subject: [PATCH 7/7] fix: add Application --- auditpol.txt | 61 ---------------------------------------------------- 1 file changed, 61 deletions(-) delete mode 100644 auditpol.txt diff --git a/auditpol.txt b/auditpol.txt deleted file mode 100644 index 65ee10b1..00000000 --- a/auditpol.txt +++ /dev/null @@ -1,61 +0,0 @@ -Active code page: 437 -Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting -SAMURAI,System, ,{0CCE9211-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE9212-69AE-11D9-BED3-505054503030},Success and Failure, -SAMURAI,System,IPsec ,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE9214-69AE-11D9-BED3-505054503030},Success and Failure, -SAMURAI,System,,{0CCE9210-69AE-11D9-BED3-505054503030},Success, -SAMURAI,System,,{0CCE9215-69AE-11D9-BED3-505054503030},Success and Failure, -SAMURAI,System,,{0CCE9216-69AE-11D9-BED3-505054503030},Success, -SAMURAI,System, ,{0CCE9217-69AE-11D9-BED3-505054503030},Success, -SAMURAI,System,IPsec ,{0CCE9218-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,IPsec ,{0CCE9219-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,IPsec ,{0CCE921A-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE921B-69AE-11D9-BED3-505054503030},Success, -SAMURAI,System,/ ,{0CCE921C-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE9243-69AE-11D9-BED3-505054503030},Success and Failure, -SAMURAI,System,/,{0CCE9247-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE9249-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE921D-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE921E-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE921F-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,SAM,{0CCE9220-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE9221-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE9222-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE9223-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE9224-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE9225-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE9226-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE9227-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE9244-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE9245-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE9246-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE9229-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE922A-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE9228-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE922B-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE922C-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,DPAPI ,{0CCE922D-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,RPC ,{0CCE922E-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE9248-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE924A-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE922F-69AE-11D9-BED3-505054503030},Success, -SAMURAI,System,,{0CCE9230-69AE-11D9-BED3-505054503030},Success, -SAMURAI,System,,{0CCE9231-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,MPSSVC ,{0CCE9232-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE9233-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE9234-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE9236-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE9237-69AE-11D9-BED3-505054503030},Success, -SAMURAI,System,,{0CCE9238-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE9239-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE923A-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE9235-69AE-11D9-BED3-505054503030},Success, -SAMURAI,System, ,{0CCE923B-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE923C-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE923D-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE923E-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,Kerberos ,{0CCE9240-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System, ,{0CCE9241-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,Kerberos ,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing, -SAMURAI,System,,{0CCE923F-69AE-11D9-BED3-505054503030},No Auditing,