From 4f9fab2523e8471a7405f01a114cfb05a2dff1b8 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 10:22:04 +0900 Subject: [PATCH] feat: verbose security --- WELA.ps1 | 2 +- WELAVerboseSecAudit.psm1 | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 3b14aafe..38b2544a 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -72,7 +72,7 @@ ShowRulesCountsByLevel -usableRate $usablePwsClaRate -msg "PowerShell classic lo ShowRulesCountsByLevel -usableRate $usablePwsModRate -msg "PowerShell module logging detection rules: " -colorMsg "$totalUsablePwsModRate ($pwsModStatus)" ShowRulesCountsByLevel -usableRate $usablePwsScrRate -msg "PowerShell script block logging detection rules: " -colorMsg "$totalUsablePwsScrRate ($pwsSrcStatus)" ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)" -ShowVerboseSecurity +ShowVerboseSecurity -rules $rules Write-Output "Usable detection rules list saved to: UsableRules.csv" Write-Output "Unusable detection rules list saved to: UnusableRules.csv" diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index da45ff3a..aea770af 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -1,4 +1,40 @@ +function Get-RuleCounts { + param ( + [string]$guid, + [array]$rules + ) + + $filteredRules = $rules | Where-Object { $_.subcategory_guids -contains $guid } + if ($filteredRules.Count -eq 0) { + return "no rules" + } + + $groupedRules = $filteredRules | Group-Object -Property level + + $levels = @("critical", "high", "medium", "low", "informational") + $counts = @{} + foreach ($level in $levels) { + $counts[$level] = 0 + } + + foreach ($group in $groupedRules) { + $counts[$group.Name] = $group.Count + } + + $status = if ($filteredRules[0].applicable) { "enabled" } else { "disabled" } + + $result = "$status (" + $result += $levels | ForEach-Object { "$_: $($counts[$_])" } -join " | " + $result += ")" + + return $result +} + function ShowVerboseSecurity { + param ( + [array]$rules + ) + Get-RuleCounts -guid "0CCE9226-69AE-11D9-BED3-505054503030" -rules $rules $m_credential_validation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" $m_kerberos_authentication_service = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" $m_kerberos_sevice_ticket_operations = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"