CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 17:22:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: verbose security

Browse Source
This commit is contained in:
fukusuket
2025-03-29 08:28:17 +09:00
parent d78dea1fa4
commit 4211fd5de5
2 changed files with 133 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
WELA.ps1
View File

@@ -69,10 +69,10 @@ $totalUsablePwsModRate = CalculateTotalUsableRate -usableRate $usablePwsModRate
$totalUsablePwsScrRate = CalculateTotalUsableRate -usableRate $usablePwsScrRate
ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)"
ShowVerboseSecurity
ShowRulesCountsByLevel -usableRate $usablePwsClaRate -msg "PowerShell classic logging detection rules: " -colorMsg "$totalUsablePwsClaRate (Enabled)"
ShowRulesCountsByLevel -usableRate $usablePwsModRate -msg "PowerShell module logging detection rules: " -colorMsg "$totalUsablePwsModRate ($pwsModStatus)"
ShowRulesCountsByLevel -usableRate $usablePwsScrRate -msg "PowerShell script block logging detection rules: " -colorMsg "$totalUsablePwsScrRate ($pwsSrcStatus)"
ShowVerboseSecurity
Write-Output "Usable detection rules list saved to: UsableRules.csv"
Write-Output "Unusable detection rules list saved to: UnusableRules.csv"

264
WELAAuditMsg.psm1
View File

@@ -2,189 +2,189 @@ function ShowVerboseSecurity {
$msg = @"
Account Logon
- Credential Validation $m_credential_validation
- Volume: ``Depends on NTLM usage. Could be high on DCs and low on clients and servers.``
- Default settings: ``Client OS: No Auditing`` | ``Server OS: Success``
- Recommended settings: ``Client and Server OSes: Success and Failure``
- Volume: Depends on NTLM usage. Could be high on DCs and low on clients and servers.
- Default settings: Client OS: No Auditing | Server OS: Success
- Recommended settings: Client and Server OSes: Success and Failure
- Kerberos Authentication Service $m_kerberos_authentication_service
- Volume: ``High``
- Default settings: ``Client OS: No Auditing`` | ``Server OS: Success``
- Recommended settings: ``Client OS: No Auditing`` | ``Server OS: Success and Failure``
- Volume: High
- Default settings: Client OS: No Auditing | Server OS: Success
- Recommended settings: Client OS: No Auditing | Server OS: Success and Failure
- Kerberos Service Ticket Operations $m_kerberos_sevice_ticket_operations
- Volume: ``High``
- Default settings: ``Client OS: No Auditing`` | ``Server OS: Success``
- Recommended settings: ``Domain Controllers: Success and Failure``
- Volume: High
- Default settings: Client OS: No Auditing | Server OS: Success
- Recommended settings: Domain Controllers: Success and Failure
Account Management
- Computer Account Management $m_computer_account_management
- Volume: ``Low``
- Default settings: ``Client OS: No Auditing`` | ``Server OS: Success Only``
- Recommended settings: ``Domain Controllers: Success and Failure``
- Volume: Low
- Default settings: Client OS: No Auditing | Server OS: Success Only
- Recommended settings: Domain Controllers: Success and Failure
- Other Account Management Events $m_other_account_management
- Volume: ``Low``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure``
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Security Group Management $m_security_group_management
- Volume: ``Low``
- Default settings: ``Success``
- Recommended settings: ``Success and Failure``
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- User Account Management $m_user_account_management
- Volume: ``Low``
- Default settings: ``Success``
- Recommended settings: ``Success and Failure``
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
Detailed Tracking
- Plug and Play Events $m_plug_and_play_events
- Volume: ``Typcially low``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure``
- Volume: Typcially low
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Process Creation $m_process_creation
- Volume: ``High``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure`` if sysmon is not configured.
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure if sysmon is not configured.
- Process Termination $m_process_termination
- Volume: ``High``
- Default settings: ``No Auditing``
- Recommended settings: ``No Auditing`` unless you want to track the lifespan of processes.
- Volume: High
- Default settings: No Auditing
- Recommended settings: No Auditing unless you want to track the lifespan of processes.
- RPC (Remote Procedure Call) Events $m_rpc_events
- Volume: ``High on RPC servers`` (According to Microsoft)
- Default settings: ``No Auditing``
- Recommended settings: ``Unknown. Needs testing.``
- Volume: High on RPC servers (According to Microsoft)
- Default settings: No Auditing
- Recommended settings: Unknown. Needs testing.
- Token Right Adjusted Events $m_token_right_adjusted_events
- Volume: ``Unknown``
- Default settings: ``No Auditing``
- Recommended settings: ``Unknown. Needs testing.``
- Volume: Unknown
- Default settings: No Auditing
- Recommended settings: Unknown. Needs testing.
DS (Directory Service) Access
- Directory Service Access $m_directory_service_access
- Volume: ``High``
- Default settings: ``Client OS: No Auditing`` | ``Server OS: Success``
- Recommended settings: ``Client OS: No Auditing`` | ``ADDS Server: Success and Failure``
- Volume: High
- Default settings: Client OS: No Auditing | Server OS: Success
- Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure
- Directory Service Changes
- Volume: ``High``
- Default settings: ``No Auditing``
- Recommended settings: ``Client OS: No Auditing`` | ``ADDS Server: Success and Failure``
- Volume: High
- Default settings: No Auditing
- Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure
Logon/Logoff
- Account Lockout $m_account_lockout
- Volume: ``Low``
- Default settings: ``Success``
- Recommended settings: ``Success and Failure``
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- Group Membership
- Volume: Adds an extra ``4627`` event to every logon.
- Default settings: ``No Auditing``
- Recommended settings: ``No Auditing``
- Volume: Adds an extra 4627 event to every logon.
- Default settings: No Auditing
- Recommended settings: No Auditing
- Logoff $m_logoff
- Volume: ``High``
- Default settings: ``Success``
- Recommended settings: ``Success``
- Volume: High
- Default settings: Success
- Recommended settings: Success
- Logon $m_logon
- Volume: ``Low on clients, medium on DCs or network servers``
- Default settings: ``Client OS: Success`` | ``Server OS: Success and Failure``
- Recommended settings: ``Success and Failure``
- Volume: Low on clients, medium on DCs or network servers
- Default settings: Client OS: Success | Server OS: Success and Failure
- Recommended settings: Success and Failure
- Other Logon/Logoff Events $m_other_logon_logoff_events
- Volume: ``Low``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure``
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Special Logon $m_special_logon
- Volume: ``Low on clients. Medium on DC or network servers.``
- Default settings: ``Success``
- Recommended settings: ``Success and Failure``
- Volume: Low on clients. Medium on DC or network servers.
- Default settings: Success
- Recommended settings: Success and Failure
Object Access
- Certification Services $m_certification_services
- Volume: ``Low to medium``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure`` for AD CS role servers.
- Volume: Low to medium
- Default settings: No Auditing
- Recommended settings: Success and Failure for AD CS role servers.
- Detailed File Share $m_detailed_file_share
- Volume: ``Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement.``
- Default settings: ``No Auditing``
- Recommended settings: ``No Auditing`` due to the high noise level. Enable if you can though.
- Volume: Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement.
- Default settings: No Auditing
- Recommended settings: No Auditing due to the high noise level. Enable if you can though.
- File Share $m_file_share
- Volume: ``High for file servers and DCs.``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure``
- Volume: High for file servers and DCs.
- Default settings: No Auditing
- Recommended settings: Success and Failure
- File System $m_file_system
- Volume: ``Depends on SACL rules``
- Default settings: ``No Auditing``
- Recommended settings: ``Enable SACLs just for sensitive files``
- Volume: Depends on SACL rules
- Default settings: No Auditing
- Recommended settings: Enable SACLs just for sensitive files
- Filtering Platform Connection $m_filtering_platform_connection
- Volume: ``High``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure`` if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though.
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though.
- Filtering Platform Packet Drop $m_filtering_platform_packet_drop
- Volume: ``High``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure`` if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though.
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though.
- Kernel Object $m_kernel_object
- Volume: ``High if auditing access of global object access is enabled``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure`` but do not enable ``Audit the access of global system objects`` as you will generate too many ``4663: Object Access`` events.
- Volume: High if auditing access of global object access is enabled
- Default settings: No Auditing
- Recommended settings: Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events.
- Handle Manipulation $m_handle_manipulation
- Volume: ``High``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure``
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Other Object Access Events $m_other_object_access_events
- Volume: ``Low``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure``
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Registry $m_registry
- Volume: ``Depends on SACLs``
- Default settings: ``No Auditing``
- Recommended settings: ``Set SACLs for only the registry keys that you want to monitor``
- Volume: Depends on SACLs
- Default settings: No Auditing
- Recommended settings: Set SACLs for only the registry keys that you want to monitor
- Removable Storage $m_removable_storage
- Volume: ``Depends on how much removable storage is used``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure`` if you want to monitor external device usage.
- Volume: Depends on how much removable storage is used
- Default settings: No Auditing
- Recommended settings: Success and Failure if you want to monitor external device usage.
- SAM $m_sam
- Volume: ``High volume of events on Domain Controllers``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure`` if you can but may cause too high volume of noise so should be tested beforehand.
- Volume: High volume of events on Domain Controllers
- Default settings: No Auditing
- Recommended settings: Success and Failure if you can but may cause too high volume of noise so should be tested beforehand.
Policy Change
- Audit Policy Change $m_audit_policy_change
- Volume: ``Low``
- Default settings: ``Success``
- Recommended settings: ``Success and Failure``
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- Authentication Policy Change $m_authentication_policy_change
- Volume: ``Low``
- Default settings: ``Success``
- Recommended settings: ``Success and Failure``
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- Authorization Policy Change $m_authorization_policy_change
- Volume: ``Medium to High``
- Default settings: ``No Auditing``
- Recommended settings: ``Unknown. Needs testing.``
- Volume: Medium to High
- Default settings: No Auditing
- Recommended settings: Unknown. Needs testing.
- Filtering Platform Policy Change $m_filtering_platform_policy_change
- Volume: ``Low``
- Default settings: ``No Auditing``
- Recommended settings: ``Unknown, Needs testing.``
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Unknown, Needs testing.
- MPSSVC Rule-Level Policy Change $m_mpssvc_rule_level_policy_change
- Volume: ``Low``
- Default settings: ``No Auditing``
- Recommended settings: ``Unknown. Needs testing.``
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Unknown. Needs testing.
- Other Policy Change Events $m_other_policy_change_events
- Volume: ``Low``
- Default settings: ``No Auditing``
- Recommended settings: ``No Auditing`` (Note: ACSC recommends ``Success and Failure``, however, this results in a lot of noise of ``5447 (A Windows Filtering Platform filter has been changed)`` events being generated.)
- Volume: Low
- Default settings: No Auditing
- Recommended settings: No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.)
Privilege Use
- Non Sensitive Use Events $m_non_sensitive_use_events
- Volume: ``Very high``
- Default settings: ``No Auditing``
- Recommended settings: ``No Auditing``
- Volume: Very high
- Default settings: No Auditing
- Recommended settings: No Auditing
- Sensitive Privilege Use $m_sensitive_privilege_use
- Volume: ``High``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure`` However, this may be too noisy.
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure However, this may be too noisy.
System
- Other System Events $m_other_system_events
- Volume: ``Low``
- Default settings: ``Success and Failure``
- Recommended settings: ``Unknown. Needs testing.``
- Volume: Low
- Default settings: Success and Failure
- Recommended settings: Unknown. Needs testing.
- Security State Change $m_security_state_change
- Volume: ``Low``
- Default settings: ``Success``
- Recommended settings: ``Success and Failure``
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- Security System Extension $m_security_system_extension
- Volume: ``Low, but more on DCs``
- Default settings: ``No Auditing``
- Recommended settings: ``Success and Failure``
- Volume: Low, but more on DCs
- Default settings: No Auditing
- Recommended settings: Success and Failure
- System Integrity $m_system_integrity
- Volume: ``Low``
- Default settings: ``Sucess, Failure``
- Recommended settings: ``Success and Failure``
- Volume: Low
- Default settings: Sucess, Failure
- Recommended settings: Success and Failure
"@
Write-Host $msg
}