From b4db197218906f1b181f96a627c6be9e9141a116 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 2 Nov 2025 00:26:06 +0900 Subject: [PATCH 1/4] fix: add Crypto-DPAPI Debug logging support to WELA.ps1 --- WELA.ps1 | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 82 insertions(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 966fe80c..e66266a2 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -277,6 +277,26 @@ function GuideYamatoSecurity "" ) + # Crypto-DPAPI Debug + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Crypto-DPAPI/Debug") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Crypto-DPAPI/Debug" -valueName "Enabled" -expectedValue 1 + $current = if ($enabled) { "Enabled" } else { "Disabled" } + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $rules | ForEach-Object { $_.ideal = $true } + $auditResult += [WELA]::New( + "Crypto-DPAPI Debug", + "", + $current, + [array]$rules, + "Disabled", + "Enabled", + "", + "" + ) + # CodeIntegrity Operational $guid = "" $eids = @() @@ -1513,6 +1533,26 @@ function GuideASD { "" ) + # Crypto-DPAPI Debug + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Crypto-DPAPI/Debug") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Crypto-DPAPI/Debug" -valueName "Enabled" -expectedValue 1 + $current = if ($enabled) { "Enabled" } else { "Disabled" } + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $rules | ForEach-Object { $_.ideal = $false } + $auditResult += [WELA]::New( + "Crypto-DPAPI Debug", + "", + $current, + [array]$rules, + "Disabled", + "", + "", + "" + ) + # Diagnosis-Scripted Operational $guid = "" $eids = @() @@ -2730,6 +2770,26 @@ function GuideMSC { "" ) + # Crypto-DPAPI Debug + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Crypto-DPAPI/Debug") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Crypto-DPAPI/Debug" -valueName "Enabled" -expectedValue 1 + $current = if ($enabled) { "Enabled" } else { "Disabled" } + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $rules | ForEach-Object { $_.ideal = $false } + $auditResult += [WELA]::New( + "Crypto-DPAPI Debug", + "", + $current, + [array]$rules, + "Disabled", + "", + "", + "" + ) + # Diagnosis-Scripted Operational $guid = "" $eids = @() @@ -3947,6 +4007,26 @@ function GuideMSS { "" ) + # Crypto-DPAPI Debug + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Crypto-DPAPI/Debug") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Crypto-DPAPI/Debug" -valueName "Enabled" -expectedValue 1 + $current = if ($enabled) { "Enabled" } else { "Disabled" } + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $rules | ForEach-Object { $_.ideal = $false } + $auditResult += [WELA]::New( + "Crypto-DPAPI Debug", + "", + $current, + [array]$rules, + "Disabled", + "", + "", + "" + ) + # Diagnosis-Scripted Operational $guid = "" $eids = @() @@ -5506,6 +5586,7 @@ function ConfigureAuditSettings { "Microsoft-Windows-AppLocker/Packaged app-Deployment", "Microsoft-Windows-AppLocker/Packaged app-Execution", "Microsoft-Windows-CodeIntegrity/Operational", + "Microsoft-Windows-Crypto-DPAPI/Debug", "Microsoft-Windows-Diagnosis-Scripted/Operational", "Microsoft-Windows-DriverFrameworks-UserMode/Operational", "Microsoft-Windows-WMI-Activity/Operational", @@ -5545,7 +5626,7 @@ function ConfigureAuditSettings { # 特定のログの有効化 Write-Host "Enabling Event Logs..." Write-Host "" - foreach ($log in @("Microsoft-Windows-TaskScheduler/Operational", "Microsoft-Windows-DriverFrameworks-UserMode/Operational")) { + foreach ($log in @("Microsoft-Windows-TaskScheduler/Operational", "Microsoft-Windows-DriverFrameworks-UserMode/Operational", "Microsoft-Windows-Crypto-DPAPI/Debug")) { try { $logInfo = Get-WinEvent -ListLog $log -ErrorAction Stop $currentState = if ($logInfo.IsEnabled) { "Enabled" } else { "Disabled" } From f30868aa10e340b3edd498a34f1d6c3651970d84 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 2 Nov 2025 00:27:00 +0900 Subject: [PATCH 2/4] fix: add Crypto-DPAPI Debug log size configuration to WELA.ps1 --- WELA.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/WELA.ps1 b/WELA.ps1 index e66266a2..f98300dc 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5409,6 +5409,7 @@ function AuditFileSize { "Microsoft-Windows-Bits-Client/Analytic" = @("1 MB", "128 MB+") "Microsoft-Windows-Bits-Client/Operational" = @("1 MB", "128 MB+") "Microsoft-Windows-CodeIntegrity/Operational" = @("1 MB", "128 MB+") + "Microsoft-Windows-Crypto-DPAPI/Debug" = @("1 MB", "128 MB+") "Microsoft-Windows-DriverFrameworks-UserMode/Operational" = @("1 MB", "128 MB+") "Microsoft-Windows-NTLM/Operational" = @("1 MB", "128 MB+") "Microsoft-Windows-PowerShell/Operational" = @("20 MB", "256 MB+") From 4fdf712dbf6c645677eaeb7eed50235c35100c7d Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 2 Nov 2025 00:48:05 +0900 Subject: [PATCH 3/4] fix: update auditing logic in WELA.ps1 to differentiate between 'No Auditing' and 'Disabled' settings --- WELA.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index f98300dc..276649d1 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5222,8 +5222,8 @@ function AuditLogSetting { if ($outType -eq "std") { $auditResult | Group-Object -Property Category | ForEach-Object { - $enabledCount = ($_.Group | Where-Object { $_.CurrentSetting -ne "No Auditing" } | ForEach-Object { $_.Rules.Count } | Measure-Object -Sum).Sum - $disabledCount = ($_.Group | Where-Object { $_.CurrentSetting -eq "No Auditing" } | ForEach-Object { $_.Rules.Count } | Measure-Object -Sum).Sum + $enabledCount = ($_.Group | Where-Object { $_.CurrentSetting -ne "No Auditing" -and $_.CurrentSetting -ne "Disabled" } | ForEach-Object { $_.Rules.Count } | Measure-Object -Sum).Sum + $disabledCount = ($_.Group | Where-Object { $_.CurrentSetting -eq "No Auditing" -or $_.CurrentSetting -eq "Disabled" } | ForEach-Object { $_.Rules.Count } | Measure-Object -Sum).Sum $out = "" $color = "" if ($disabledCount -eq 0 -and $enabledCount -ne 0){ From eb81232e7e4e6038d232301c790667fcb4ab863e Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 2 Nov 2025 02:05:30 +0900 Subject: [PATCH 4/4] fix: optimize rule counting logic in WELA.ps1 for improved performance --- WELA.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 276649d1..dcc61978 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -61,7 +61,7 @@ class WELA { [void] CountByLevel() { $this.RulesCount = @{} foreach ($level in [WELA]::Levels) { - $this.RulesCount[$level] = ($this.Rules | Where-Object { $_.level -eq $level }).Count + $this.RulesCount[$level] = @($this.Rules | Where-Object { $_.level -eq $level }).Count } } @@ -71,7 +71,7 @@ class WELA { $color = if ($this.CurrentSetting -eq "Enabled" -or $this.CurrentSetting -contains "Success" -or $this.CurrentSetting -contains "Failure") { "Green" } else { "Red" } $ruleCounts = "" $logEnabled = $this.CurrentSetting - $allZero = $this.RulesCount.Values | Where-Object { $_ -ne 0 } | Measure-Object | Select-Object -ExpandProperty Count + $allZero = ($this.RulesCount.Values | Where-Object { $_ -ne 0 }).Count if ($allZero -eq 0) { $ruleCounts = "(no rules)" $color = "DarkYellow"