From f041c833c00058dd6b257a1f33ffdf6cc5411fbf Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 14:29:35 +0900 Subject: [PATCH 01/15] feat: add currentsetting --- WELA.ps1 | 731 +++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 464 insertions(+), 267 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 3dc9ba09..54d92c3e 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -9,7 +9,7 @@ class WELA { static [array] $Levels = @('critical', 'high', 'medium', 'low', 'informational') [string] $Category [string] $SubCategory - [bool] $Enabled + [string] $CurrentSetting = "" [array] $Rules [hashtable] $RulesCount [string] $DefaultSetting = "" @@ -17,19 +17,19 @@ class WELA { [string] $Volume = "" [string] $Note = "" - WELA([string] $Category, [string] $SubCategory, [bool] $Enabled, [array] $Rules) { + WELA([string] $Category, [string] $SubCategory, [String] $CurrentSetting, [array] $Rules) { $this.Category = $Category $this.SubCategory = $SubCategory - $this.Enabled = $Enabled + $this.CurrentSetting = $CurrentSetting $this.Rules = $Rules $this.RulesCount = @{'critical' = 0; 'high' = 0; 'medium' = 0; 'low' = 0; 'informational' = 0} } - WELA([string] $Category, [string] $SubCategory, [bool] $Enabled, [array] $Rules, [string] $DefaultSetting, [string] $RecommendedSetting, [string] $Volume, [string] $Note) { + WELA([string] $Category, [string] $SubCategory, [string] $CurrentSetting, [array] $Rules, [string] $DefaultSetting, [string] $RecommendedSetting, [string] $Volume, [string] $Note) { $this.Category = $Category $this.SubCategory = $SubCategory - $this.Enabled = $Enabled + $this.CurrentSetting = $CurrentSetting $this.Rules = $Rules $this.DefaultSetting = $DefaultSetting $this.RecommendedSetting = $RecommendedSetting @@ -99,6 +99,9 @@ class WELA { if ($this.DefaultSetting) { Write-Host " - Default Setting: $($this.DefaultSetting)" } + if ($this.CurrentSetting) { + Write-Host " - CurrentSetting Setting: $($this.CurrentSetting)" + } if ($this.RecommendedSetting) { Write-Host " - Recommended Setting: $($this.RecommendedSetting)" } @@ -207,7 +210,7 @@ function GuideYamatoSecurity $rules | ForEach-Object { $_.applicable = $enabled } $auditResult += [WELA]::New( "Application", - "", + "Enabled", $enabled, [array]$rules, "Enabled", @@ -226,7 +229,7 @@ function GuideYamatoSecurity $auditResult += [WELA]::New( "Applocker", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -244,7 +247,7 @@ function GuideYamatoSecurity $auditResult += [WELA]::New( "Bits-Client Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -262,7 +265,7 @@ function GuideYamatoSecurity $auditResult += [WELA]::New( "CodeIntegrity Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -280,7 +283,7 @@ function GuideYamatoSecurity $auditResult += [WELA]::New( "Diagnosis-Scripted Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -298,7 +301,7 @@ function GuideYamatoSecurity $auditResult += [WELA]::New( "DriverFrameworks-UserMode Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -316,7 +319,7 @@ function GuideYamatoSecurity $auditResult += [WELA]::New( "Firewall", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -334,7 +337,7 @@ function GuideYamatoSecurity $auditResult += [WELA]::New( "Microsoft-Windows-NTLM/Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -353,7 +356,7 @@ function GuideYamatoSecurity $auditResult += [WELA]::New( "PowerShell", "Classic", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -368,10 +371,11 @@ function GuideYamatoSecurity $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "Module", - $enabled, + $current, [array]$rules, "No Auditing", "Enabled", @@ -386,10 +390,11 @@ function GuideYamatoSecurity $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", - $enabled, + $current, [array]$rules, "Partially Enabled", "Enabled", @@ -407,7 +412,7 @@ function GuideYamatoSecurity $auditResult += [WELA]::New( "PrintService", "PrintService Admin", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -425,7 +430,7 @@ function GuideYamatoSecurity $auditResult += [WELA]::New( "PrintService", "PrintService Operational", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -442,10 +447,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "Client and Server OSes: Success and Failure", @@ -459,10 +465,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "Client OS: No Auditing | Server OS: Success and Failure", @@ -476,10 +483,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "Domain Controllers: Success and Failure", @@ -494,10 +502,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "Domain Controllers: Success and Failure", @@ -511,10 +520,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -528,10 +538,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -545,10 +556,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -563,10 +575,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -580,10 +593,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -597,10 +611,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", - $enabled, + $current, [array]$rules, "No Auditing", "No Auditing", @@ -614,10 +629,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -631,10 +647,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -649,10 +666,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "Client OS: No Auditing | ADDS Server: Success and Failure", @@ -666,10 +684,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", - $enabled, + $current, [array]$rules, "No Auditing", "Client OS: No Auditing | ADDS Server: Success and Failure", @@ -684,10 +703,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", - $enabled, + $current, [array]$rules, "Success", "Success and Failure", @@ -701,10 +721,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $enabled, + $current, [array]$rules, "No Auditing", "No Auditing", @@ -718,10 +739,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $enabled, + $current, [array]$rules, "No Auditing", "No Auditing", @@ -735,10 +757,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", - $enabled, + $current, [array]$rules, "Client OS: Success | Server OS: Success and Failure", "Success and Failure", @@ -752,10 +775,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -769,10 +793,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", - $enabled, + $current, [array]$rules, "Success", "Success and Failure", @@ -788,10 +813,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure for AD CS role servers", @@ -805,10 +831,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $enabled, + $current, [array]$rules, "No Auditing", "No Auditing", @@ -822,10 +849,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -839,10 +867,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", - $enabled, + $current, [array]$rules, "No Auditing", "Enable", @@ -856,10 +885,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -873,10 +903,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -890,10 +921,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -907,10 +939,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -924,10 +957,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -941,10 +975,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -958,10 +993,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -975,10 +1011,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -993,10 +1030,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", - $enabled, + $current, [array]$rules, "Success", "Success and Failure", @@ -1010,10 +1048,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", - $enabled, + $current, [array]$rules, "Success", "Success and Failure", @@ -1027,10 +1066,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -1044,10 +1084,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -1061,10 +1102,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -1078,10 +1120,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", - $enabled, + $current, [array]$rules, "No Auditing", "No Auditing ", @@ -1096,10 +1139,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", - $enabled, + $current, [array]$rules, "No Auditing", "No Auditing", @@ -1113,10 +1157,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -1131,10 +1176,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $enabled, + $current, [array]$rules, "Success and Failure", "", @@ -1148,10 +1194,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $enabled, + $current, [array]$rules, "Success", "Success and Failure", @@ -1165,10 +1212,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -1182,10 +1230,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", - $enabled, + $current, [array]$rules, "Success and Failure", "Success and Failure", @@ -1200,10 +1249,11 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", - $enabled, + $current, [array]$rules, "Enabled", "Enabled", @@ -1218,10 +1268,11 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", - $enabled, + $current, [array]$rules, "Enabled", "Enabled", @@ -1236,10 +1287,11 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "SMBClient Security", "", - $enabled, + $current, [array]$rules, "Enabled", "Enabled", @@ -1254,10 +1306,11 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "System", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -1275,7 +1328,7 @@ function GuideYamatoSecurity $auditResult += [WELA]::New( "TaskScheduler Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -1311,7 +1364,7 @@ function GuideYamatoSecurity $auditResult += [WELA]::New( "WMI-Activity Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -1329,7 +1382,7 @@ function GuideYamatoSecurity $auditResult += [WELA]::New( "Windows Defender Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -1356,7 +1409,7 @@ function GuideASD { $auditResult += [WELA]::New( "Application", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -1374,7 +1427,7 @@ function GuideASD { $auditResult += [WELA]::New( "Applocker", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -1392,7 +1445,7 @@ function GuideASD { $auditResult += [WELA]::New( "Bits-Client Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -1410,7 +1463,7 @@ function GuideASD { $auditResult += [WELA]::New( "CodeIntegrity Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -1428,7 +1481,7 @@ function GuideASD { $auditResult += [WELA]::New( "Diagnosis-Scripted Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -1446,7 +1499,7 @@ function GuideASD { $auditResult += [WELA]::New( "DriverFrameworks-UserMode Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -1464,7 +1517,7 @@ function GuideASD { $auditResult += [WELA]::New( "Firewall", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -1482,7 +1535,7 @@ function GuideASD { $auditResult += [WELA]::New( "Microsoft-Windows-NTLM/Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -1501,7 +1554,7 @@ function GuideASD { $auditResult += [WELA]::New( "PowerShell", "Classic", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -1516,10 +1569,11 @@ function GuideASD { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "Module", - $enabled, + $current, [array]$rules, "No Auditing", "Enabled", @@ -1534,10 +1588,11 @@ function GuideASD { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", - $enabled, + $current, [array]$rules, "Patially", "Enabled", @@ -1555,7 +1610,7 @@ function GuideASD { $auditResult += [WELA]::New( "PrintService", "PrintService Admin", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -1573,7 +1628,7 @@ function GuideASD { $auditResult += [WELA]::New( "PrintService", "PrintService Operational", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -1590,10 +1645,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "Success and Failure", @@ -1607,10 +1663,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -1624,10 +1681,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -1642,10 +1700,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "Success and Failure", @@ -1659,10 +1718,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -1676,10 +1736,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -1693,10 +1754,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -1711,10 +1773,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -1728,10 +1791,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", - $enabled, + $current, [array]$rules, "No Auditing", "Success", @@ -1745,10 +1809,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", - $enabled, + $current, [array]$rules, "No Auditing", "Success", @@ -1762,10 +1827,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", - $enabled, + $current, [array]$rules, "No Auditing", "No Auditing", @@ -1779,10 +1845,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", - $enabled, + $current, [array]$rules, "No Auditing", "No Auditing", @@ -1797,10 +1864,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -1814,10 +1882,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -1832,10 +1901,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", - $enabled, + $current, [array]$rules, "Success", "Failure", @@ -1849,10 +1919,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $enabled, + $current, [array]$rules, "No Auditing", "Success", @@ -1866,10 +1937,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $enabled, + $current, [array]$rules, "No Auditing", "Success", @@ -1883,10 +1955,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", - $enabled, + $current, [array]$rules, "Client OS: Success | Server OS: Success and Failure", "Success and Failure", @@ -1900,10 +1973,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -1917,10 +1991,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", - $enabled, + $current, [array]$rules, "Success", "Success and Failure", @@ -1936,10 +2011,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -1953,10 +2029,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $enabled, + $current, [array]$rules, "No Auditing", "No Auditing", @@ -1970,10 +2047,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -1987,10 +2065,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2004,10 +2083,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2021,10 +2101,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2038,10 +2119,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -2055,10 +2137,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2072,10 +2155,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -2089,10 +2173,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -2106,10 +2191,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2123,10 +2209,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2141,10 +2228,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", - $enabled, + $current, [array]$rules, "Success", "Success and Failure", @@ -2158,10 +2246,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", - $enabled, + $current, [array]$rules, "Success", "", @@ -2175,10 +2264,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2192,10 +2282,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2209,10 +2300,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2226,10 +2318,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -2244,10 +2337,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2261,10 +2355,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2279,10 +2374,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $enabled, + $current, [array]$rules, "Success and Failure", "", @@ -2296,10 +2392,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $enabled, + $current, [array]$rules, "Success", "", @@ -2313,10 +2410,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2330,10 +2428,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", - $enabled, + $current, [array]$rules, "Success and Failure", "Success and Failure", @@ -2348,10 +2447,11 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", - $enabled, + $current, [array]$rules, "Enabled", "", @@ -2366,10 +2466,11 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", - $enabled, + $current, [array]$rules, "Enabled", "", @@ -2384,10 +2485,11 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "SMBClient Security", "", - $enabled, + $current, [array]$rules, "Enabled", "", @@ -2405,7 +2507,7 @@ function GuideASD { $auditResult += [WELA]::New( "System", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2423,7 +2525,7 @@ function GuideASD { $auditResult += [WELA]::New( "TaskScheduler Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2441,7 +2543,7 @@ function GuideASD { $auditResult += [WELA]::New( "TerminalServices-LocalSessionManager Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2459,7 +2561,7 @@ function GuideASD { $auditResult += [WELA]::New( "WMI-Activity Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2477,7 +2579,7 @@ function GuideASD { $auditResult += [WELA]::New( "Windows Defender Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2504,7 +2606,7 @@ function GuideMSC { $auditResult += [WELA]::New( "Application", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2522,7 +2624,7 @@ function GuideMSC { $auditResult += [WELA]::New( "Applocker", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2540,7 +2642,7 @@ function GuideMSC { $auditResult += [WELA]::New( "Bits-Client Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2558,7 +2660,7 @@ function GuideMSC { $auditResult += [WELA]::New( "CodeIntegrity Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2576,7 +2678,7 @@ function GuideMSC { $auditResult += [WELA]::New( "Diagnosis-Scripted Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2594,7 +2696,7 @@ function GuideMSC { $auditResult += [WELA]::New( "DriverFrameworks-UserMode Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2612,7 +2714,7 @@ function GuideMSC { $auditResult += [WELA]::New( "Firewall", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2630,7 +2732,7 @@ function GuideMSC { $auditResult += [WELA]::New( "Microsoft-Windows-NTLM/Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2649,7 +2751,7 @@ function GuideMSC { $auditResult += [WELA]::New( "PowerShell", "Classic", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2664,10 +2766,11 @@ function GuideMSC { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "Module", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2682,10 +2785,11 @@ function GuideMSC { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", - $enabled, + $current, [array]$rules, "Patially", "", @@ -2703,7 +2807,7 @@ function GuideMSC { $auditResult += [WELA]::New( "PrintService", "PrintService Admin", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2721,7 +2825,7 @@ function GuideMSC { $auditResult += [WELA]::New( "PrintService", "PrintService Operational", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -2738,10 +2842,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "Success and Failure", @@ -2755,10 +2860,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -2772,10 +2878,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -2790,10 +2897,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "Success", @@ -2807,10 +2915,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success", @@ -2824,10 +2933,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", - $enabled, + $current, [array]$rules, "No Auditing", "Success", @@ -2841,10 +2951,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", - $enabled, + $current, [array]$rules, "No Auditing", "Success", @@ -2859,10 +2970,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2876,10 +2988,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", - $enabled, + $current, [array]$rules, "No Auditing", "Success", @@ -2893,10 +3006,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2910,10 +3024,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2927,10 +3042,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2945,10 +3061,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -2962,10 +3079,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -2980,10 +3098,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", - $enabled, + $current, [array]$rules, "Success", "Failure", @@ -2997,10 +3116,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $enabled, + $current, [array]$rules, "No Auditing", "Success", @@ -3014,10 +3134,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $enabled, + $current, [array]$rules, "No Auditing", "Success", @@ -3031,10 +3152,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", - $enabled, + $current, [array]$rules, "Client OS: Success | Server OS: Success and Failure", "Success and Failure", @@ -3048,10 +3170,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -3065,10 +3188,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", - $enabled, + $current, [array]$rules, "Success", "Success", @@ -3084,10 +3208,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3101,10 +3226,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3118,10 +3244,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -3135,10 +3262,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3152,10 +3280,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3169,10 +3298,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3186,10 +3316,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -3203,10 +3334,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3220,10 +3352,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -3237,10 +3370,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -3254,10 +3388,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3271,10 +3406,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3289,10 +3425,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", - $enabled, + $current, [array]$rules, "Success", "Success and Failure", @@ -3306,10 +3443,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", - $enabled, + $current, [array]$rules, "Success", "Success", @@ -3323,10 +3461,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3340,10 +3479,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3357,10 +3497,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3374,10 +3515,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -3392,10 +3534,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3409,10 +3552,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3427,10 +3571,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $enabled, + $current, [array]$rules, "Success and Failure", "", @@ -3444,10 +3589,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $enabled, + $current, [array]$rules, "Success", "Success and Failure", @@ -3461,10 +3607,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3478,10 +3625,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", - $enabled, + $current, [array]$rules, "Success and Failure", "Success and Failure", @@ -3496,10 +3644,11 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", - $enabled, + $current, [array]$rules, "Enabled", "", @@ -3514,10 +3663,11 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", - $enabled, + $current, [array]$rules, "Enabled", "", @@ -3532,10 +3682,11 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "SMBClient Security", "", - $enabled, + $current, [array]$rules, "Enabled", "", @@ -3553,7 +3704,7 @@ function GuideMSC { $auditResult += [WELA]::New( "System", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3571,7 +3722,7 @@ function GuideMSC { $auditResult += [WELA]::New( "TaskScheduler Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3589,7 +3740,7 @@ function GuideMSC { $auditResult += [WELA]::New( "TerminalServices-LocalSessionManager Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3607,7 +3758,7 @@ function GuideMSC { $auditResult += [WELA]::New( "WMI-Activity Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3625,7 +3776,7 @@ function GuideMSC { $auditResult += [WELA]::New( "Windows Defender Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3651,7 +3802,7 @@ function GuideMSS { $auditResult += [WELA]::New( "Application", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3669,7 +3820,7 @@ function GuideMSS { $auditResult += [WELA]::New( "Applocker", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3687,7 +3838,7 @@ function GuideMSS { $auditResult += [WELA]::New( "Bits-Client Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3705,7 +3856,7 @@ function GuideMSS { $auditResult += [WELA]::New( "CodeIntegrity Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3723,7 +3874,7 @@ function GuideMSS { $auditResult += [WELA]::New( "Diagnosis-Scripted Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3741,7 +3892,7 @@ function GuideMSS { $auditResult += [WELA]::New( "DriverFrameworks-UserMode Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3759,7 +3910,7 @@ function GuideMSS { $auditResult += [WELA]::New( "Firewall", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3777,7 +3928,7 @@ function GuideMSS { $auditResult += [WELA]::New( "Microsoft-Windows-NTLM/Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3796,7 +3947,7 @@ function GuideMSS { $auditResult += [WELA]::New( "PowerShell", "Classic", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3811,10 +3962,11 @@ function GuideMSS { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "Module", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -3829,10 +3981,11 @@ function GuideMSS { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", - $enabled, + $current, [array]$rules, "Patially", "", @@ -3850,7 +4003,7 @@ function GuideMSS { $auditResult += [WELA]::New( "PrintService", "PrintService Admin", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3868,7 +4021,7 @@ function GuideMSS { $auditResult += [WELA]::New( "PrintService", "PrintService Operational", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -3885,10 +4038,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "Success and Failure", @@ -3902,10 +4056,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -3919,10 +4074,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -3937,10 +4093,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "Success and Failure", @@ -3954,10 +4111,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -3971,10 +4129,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -3988,10 +4147,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -4006,10 +4166,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4023,10 +4184,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", - $enabled, + $current, [array]$rules, "No Auditing", "Success", @@ -4040,10 +4202,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4057,10 +4220,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4074,10 +4238,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4092,10 +4257,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", - $enabled, + $current, [array]$rules, "Client OS: No Auditing | Server OS: Success", "Success and Failure", @@ -4109,10 +4275,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -4127,10 +4294,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", - $enabled, + $current, [array]$rules, "Success", "Failure", @@ -4144,10 +4312,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $enabled, + $current, [array]$rules, "No Auditing", "Success", @@ -4161,10 +4330,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $enabled, + $current, [array]$rules, "No Auditing", "Success", @@ -4178,10 +4348,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", - $enabled, + $current, [array]$rules, "Client OS: Success | Server OS: Success and Failure", "Success and Failure", @@ -4195,10 +4366,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -4212,10 +4384,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", - $enabled, + $current, [array]$rules, "Success", "Success", @@ -4231,10 +4404,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4248,10 +4422,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4265,10 +4440,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -4282,10 +4458,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4299,10 +4476,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4316,10 +4494,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4333,10 +4512,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -4350,10 +4530,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4367,10 +4548,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -4384,10 +4566,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -4401,10 +4584,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4418,10 +4602,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4436,10 +4621,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", - $enabled, + $current, [array]$rules, "Success", "Success and Failure", @@ -4453,10 +4639,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", - $enabled, + $current, [array]$rules, "Success", "Success", @@ -4470,10 +4657,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4487,10 +4675,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4504,10 +4693,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4521,10 +4711,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -4539,10 +4730,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4556,10 +4748,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", - $enabled, + $current, [array]$rules, "No Auditing", "", @@ -4574,10 +4767,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $enabled, + $current, [array]$rules, "Success and Failure", "", @@ -4591,10 +4785,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $enabled, + $current, [array]$rules, "Success", "Success and Failure", @@ -4608,10 +4803,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", - $enabled, + $current, [array]$rules, "No Auditing", "Success and Failure", @@ -4625,10 +4821,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", - $enabled, + $current, [array]$rules, "Success and Failure", "Success and Failure", @@ -4646,7 +4843,7 @@ function GuideMSS { $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -4664,7 +4861,7 @@ function GuideMSS { $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -4682,7 +4879,7 @@ function GuideMSS { $auditResult += [WELA]::New( "SMBClient Security", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -4700,7 +4897,7 @@ function GuideMSS { $auditResult += [WELA]::New( "System", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -4718,7 +4915,7 @@ function GuideMSS { $auditResult += [WELA]::New( "TaskScheduler Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -4736,7 +4933,7 @@ function GuideMSS { $auditResult += [WELA]::New( "TerminalServices-LocalSessionManager Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -4754,7 +4951,7 @@ function GuideMSS { $auditResult += [WELA]::New( "WMI-Activity Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -4772,7 +4969,7 @@ function GuideMSS { $auditResult += [WELA]::New( "Windows Defender Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "", @@ -4874,12 +5071,12 @@ function AuditLogSetting { } Write-Host "" } - $auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, Enabled, DefaultSetting, RecommendedSetting, Volume, Note | Export-Csv -Path "WELA-Audit-Result.csv" -NoTypeInformation + $auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, DefaultSetting, CurrentSetting, RecommendedSetting, Volume, Note | Export-Csv -Path "WELA-Audit-Result.csv" -NoTypeInformation Write-Output "Audit check result saved to: WELA-Audit-Result.csv" } elseif ($outType -eq "gui") { - $auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, Enabled, DefaultSetting, RecommendedSetting, Volume, Note | Out-GridView -Title "WELA Audit Result" + $auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, DefaultSetting, CurrentSetting, RecommendedSetting, Volume, Note | Out-GridView -Title "WELA Audit Result" } elseif ($outType -eq "table") { - $auditResult | Select-Object -Property Category, SubCategory, RuleCount, Enabled, DefaultSetting, RecommendedSetting, Volume | Format-Table + $auditResult | Select-Object -Property Category, SubCategory, RuleCount, DefaultSetting, CurrentSetting, RecommendedSetting, Volume | Format-Table } $usableRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.applicable -eq $true } $unUsableRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.applicable -eq $false } From d5c990a6384f309c52de1422945fb80d9529d45e Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 14:31:02 +0900 Subject: [PATCH 02/15] feat: add currentsetting --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 54d92c3e..75ad7ccb 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -210,8 +210,8 @@ function GuideYamatoSecurity $rules | ForEach-Object { $_.applicable = $enabled } $auditResult += [WELA]::New( "Application", + "", "Enabled", - $enabled, [array]$rules, "Enabled", "Enabled", From 3786f83924b844f686d61d856dabad3ba2aff64f Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 14:32:13 +0900 Subject: [PATCH 03/15] feat: add currentsetting --- WELA.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 75ad7ccb..13e37874 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5040,8 +5040,8 @@ function AuditLogSetting { if ($outType -eq "std") { $auditResult | Group-Object -Property Category | ForEach-Object { - $enabledCount = ($_.Group | Where-Object { $_.Enabled -eq $true } | ForEach-Object { $_.Rules.Count } | Measure-Object -Sum).Sum - $disabledCount = ($_.Group | Where-Object { $_.Enabled -eq $false } | ForEach-Object { $_.Rules.Count } | Measure-Object -Sum).Sum + $enabledCount = ($_.Group | Where-Object { $_.CurrentSetting -eq "Enabled" } | ForEach-Object { $_.Rules.Count } | Measure-Object -Sum).Sum + $disabledCount = ($_.Group | Where-Object { $_.CurrentSetting -ne "Enabled" } | ForEach-Object { $_.Rules.Count } | Measure-Object -Sum).Sum $out = "" $color = "" if ($disabledCount -eq 0 -and $enabledCount -ne 0){ From 50561954605e3fa2cdb05a91b1e457b6333b4b37 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 14:38:08 +0900 Subject: [PATCH 04/15] feat: add currentsetting --- WELA.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 13e37874..3097f031 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -66,9 +66,9 @@ class WELA { [void] Output([string] $Format) { switch ($Format.ToLower()) { "std" { - $color = if ($this.Enabled) { "Green" } else { "Red" } + $color = if ($this.CurrentSetting -eq "Enabled") { "Green" } else { "Red" } $ruleCounts = "" - $logEnabled = if ($this.Enabled) { "Enabled" } else { "Disabled" } + $logEnabled = $this.CurrentSetting $allZero = $this.RulesCount.Values | Where-Object { $_ -ne 0 } | Measure-Object | Select-Object -ExpandProperty Count if ($allZero -eq 0) { $ruleCounts = "(no rules)" From ea5514e4b42632bae55000c2e371ada0e7dacb3f Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 14:39:08 +0900 Subject: [PATCH 05/15] feat: add currentsetting --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 3097f031..b24fef13 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1346,7 +1346,7 @@ function GuideYamatoSecurity $auditResult += [WELA]::New( "TerminalServices-LocalSessionManager Operational", "", - $enabled, + "Enabled", [array]$rules, "Enabled", "Enabled", From 68f32dd263186d7f755381af6a84d8f362ca557b Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 14:43:50 +0900 Subject: [PATCH 06/15] feat: add currentsetting --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index b24fef13..a074c671 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -100,7 +100,7 @@ class WELA { Write-Host " - Default Setting: $($this.DefaultSetting)" } if ($this.CurrentSetting) { - Write-Host " - CurrentSetting Setting: $($this.CurrentSetting)" + Write-Host " - Current Setting: $($this.CurrentSetting)" } if ($this.RecommendedSetting) { Write-Host " - Recommended Setting: $($this.RecommendedSetting)" From c5f96959117533887d9aad32cd26b8ee06473bd4 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 14:46:27 +0900 Subject: [PATCH 07/15] feat: add currentsetting --- WELA.ps1 | 388 +++++++++++++++++++++++++++---------------------------- 1 file changed, 194 insertions(+), 194 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index a074c671..554ee2a2 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -371,7 +371,7 @@ function GuideYamatoSecurity $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "PowerShell", "Module", @@ -390,7 +390,7 @@ function GuideYamatoSecurity $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", @@ -447,7 +447,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", @@ -465,7 +465,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", @@ -483,7 +483,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", @@ -502,7 +502,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", @@ -520,7 +520,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", @@ -538,7 +538,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", @@ -556,7 +556,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", @@ -575,7 +575,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", @@ -593,7 +593,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", @@ -611,7 +611,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", @@ -629,7 +629,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", @@ -647,7 +647,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", @@ -666,7 +666,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", @@ -684,7 +684,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", @@ -703,7 +703,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", @@ -721,7 +721,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -739,7 +739,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -757,7 +757,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", @@ -775,7 +775,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", @@ -793,7 +793,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", @@ -813,7 +813,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -831,7 +831,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -849,7 +849,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", @@ -867,7 +867,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", @@ -885,7 +885,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", @@ -903,7 +903,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", @@ -921,7 +921,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", @@ -939,7 +939,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", @@ -957,7 +957,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", @@ -975,7 +975,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", @@ -993,7 +993,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", @@ -1011,7 +1011,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", @@ -1030,7 +1030,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", @@ -1048,7 +1048,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", @@ -1066,7 +1066,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", @@ -1084,7 +1084,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", @@ -1102,7 +1102,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", @@ -1120,7 +1120,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", @@ -1139,7 +1139,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", @@ -1157,7 +1157,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", @@ -1176,7 +1176,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -1194,7 +1194,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -1212,7 +1212,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", @@ -1230,7 +1230,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", @@ -1249,7 +1249,7 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", @@ -1268,7 +1268,7 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", @@ -1287,7 +1287,7 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "SMBClient Security", "", @@ -1306,7 +1306,7 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "System", "", @@ -1569,7 +1569,7 @@ function GuideASD { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "PowerShell", "Module", @@ -1588,7 +1588,7 @@ function GuideASD { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", @@ -1645,7 +1645,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", @@ -1663,7 +1663,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", @@ -1681,7 +1681,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", @@ -1700,7 +1700,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", @@ -1718,7 +1718,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", @@ -1736,7 +1736,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", @@ -1754,7 +1754,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", @@ -1773,7 +1773,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", @@ -1791,7 +1791,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", @@ -1809,7 +1809,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", @@ -1827,7 +1827,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", @@ -1845,7 +1845,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", @@ -1864,7 +1864,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", @@ -1882,7 +1882,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", @@ -1901,7 +1901,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", @@ -1919,7 +1919,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -1937,7 +1937,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -1955,7 +1955,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", @@ -1973,7 +1973,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", @@ -1991,7 +1991,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", @@ -2011,7 +2011,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -2029,7 +2029,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -2047,7 +2047,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", @@ -2065,7 +2065,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", @@ -2083,7 +2083,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", @@ -2101,7 +2101,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", @@ -2119,7 +2119,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", @@ -2137,7 +2137,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", @@ -2155,7 +2155,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", @@ -2173,7 +2173,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", @@ -2191,7 +2191,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", @@ -2209,7 +2209,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", @@ -2228,7 +2228,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", @@ -2246,7 +2246,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", @@ -2264,7 +2264,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", @@ -2282,7 +2282,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", @@ -2300,7 +2300,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", @@ -2318,7 +2318,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", @@ -2337,7 +2337,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", @@ -2355,7 +2355,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", @@ -2374,7 +2374,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -2392,7 +2392,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -2410,7 +2410,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", @@ -2428,7 +2428,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", @@ -2447,7 +2447,7 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", @@ -2466,7 +2466,7 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", @@ -2485,7 +2485,7 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "SMBClient Security", "", @@ -2766,7 +2766,7 @@ function GuideMSC { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "PowerShell", "Module", @@ -2785,7 +2785,7 @@ function GuideMSC { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", @@ -2842,7 +2842,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", @@ -2860,7 +2860,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", @@ -2878,7 +2878,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", @@ -2897,7 +2897,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", @@ -2915,7 +2915,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", @@ -2933,7 +2933,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", @@ -2951,7 +2951,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", @@ -2970,7 +2970,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", @@ -2988,7 +2988,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", @@ -3006,7 +3006,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", @@ -3024,7 +3024,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", @@ -3042,7 +3042,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", @@ -3061,7 +3061,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", @@ -3079,7 +3079,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", @@ -3098,7 +3098,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", @@ -3116,7 +3116,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -3134,7 +3134,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -3152,7 +3152,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", @@ -3170,7 +3170,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", @@ -3188,7 +3188,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", @@ -3208,7 +3208,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -3226,7 +3226,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -3244,7 +3244,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", @@ -3262,7 +3262,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", @@ -3280,7 +3280,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", @@ -3298,7 +3298,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", @@ -3316,7 +3316,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", @@ -3334,7 +3334,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", @@ -3352,7 +3352,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", @@ -3370,7 +3370,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", @@ -3388,7 +3388,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", @@ -3406,7 +3406,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", @@ -3425,7 +3425,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", @@ -3443,7 +3443,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", @@ -3461,7 +3461,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", @@ -3479,7 +3479,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", @@ -3497,7 +3497,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", @@ -3515,7 +3515,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", @@ -3534,7 +3534,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", @@ -3552,7 +3552,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", @@ -3571,7 +3571,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -3589,7 +3589,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -3607,7 +3607,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", @@ -3625,7 +3625,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", @@ -3644,7 +3644,7 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", @@ -3663,7 +3663,7 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", @@ -3682,7 +3682,7 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "SMBClient Security", "", @@ -3962,7 +3962,7 @@ function GuideMSS { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "PowerShell", "Module", @@ -3981,7 +3981,7 @@ function GuideMSS { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", @@ -4038,7 +4038,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", @@ -4056,7 +4056,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", @@ -4074,7 +4074,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", @@ -4093,7 +4093,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", @@ -4111,7 +4111,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", @@ -4129,7 +4129,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", @@ -4147,7 +4147,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", @@ -4166,7 +4166,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", @@ -4184,7 +4184,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", @@ -4202,7 +4202,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", @@ -4220,7 +4220,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", @@ -4238,7 +4238,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", @@ -4257,7 +4257,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", @@ -4275,7 +4275,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", @@ -4294,7 +4294,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", @@ -4312,7 +4312,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -4330,7 +4330,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -4348,7 +4348,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", @@ -4366,7 +4366,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", @@ -4384,7 +4384,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", @@ -4404,7 +4404,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -4422,7 +4422,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -4440,7 +4440,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", @@ -4458,7 +4458,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", @@ -4476,7 +4476,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", @@ -4494,7 +4494,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", @@ -4512,7 +4512,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", @@ -4530,7 +4530,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", @@ -4548,7 +4548,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", @@ -4566,7 +4566,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", @@ -4584,7 +4584,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", @@ -4602,7 +4602,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", @@ -4621,7 +4621,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", @@ -4639,7 +4639,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", @@ -4657,7 +4657,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", @@ -4675,7 +4675,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", @@ -4693,7 +4693,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", @@ -4711,7 +4711,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", @@ -4730,7 +4730,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", @@ -4748,7 +4748,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", @@ -4767,7 +4767,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -4785,7 +4785,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -4803,7 +4803,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", @@ -4821,7 +4821,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "Disabled" } + $current = if ($enabled) { "Enabled" } else { "No auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", From 589b8fcce7d85aade330ce80883092f1cb13afeb Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 14:47:47 +0900 Subject: [PATCH 08/15] feat: add currentsetting --- WELA.ps1 | 388 +++++++++++++++++++++++++++---------------------------- 1 file changed, 194 insertions(+), 194 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 554ee2a2..39fc2bb1 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -371,7 +371,7 @@ function GuideYamatoSecurity $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "Module", @@ -390,7 +390,7 @@ function GuideYamatoSecurity $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", @@ -447,7 +447,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", @@ -465,7 +465,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", @@ -483,7 +483,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", @@ -502,7 +502,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", @@ -520,7 +520,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", @@ -538,7 +538,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", @@ -556,7 +556,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", @@ -575,7 +575,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", @@ -593,7 +593,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", @@ -611,7 +611,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", @@ -629,7 +629,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", @@ -647,7 +647,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", @@ -666,7 +666,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", @@ -684,7 +684,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", @@ -703,7 +703,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", @@ -721,7 +721,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -739,7 +739,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -757,7 +757,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", @@ -775,7 +775,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", @@ -793,7 +793,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", @@ -813,7 +813,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -831,7 +831,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -849,7 +849,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", @@ -867,7 +867,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", @@ -885,7 +885,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", @@ -903,7 +903,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", @@ -921,7 +921,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", @@ -939,7 +939,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", @@ -957,7 +957,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", @@ -975,7 +975,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", @@ -993,7 +993,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", @@ -1011,7 +1011,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", @@ -1030,7 +1030,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", @@ -1048,7 +1048,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", @@ -1066,7 +1066,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", @@ -1084,7 +1084,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", @@ -1102,7 +1102,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", @@ -1120,7 +1120,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", @@ -1139,7 +1139,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", @@ -1157,7 +1157,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", @@ -1176,7 +1176,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -1194,7 +1194,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -1212,7 +1212,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", @@ -1230,7 +1230,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", @@ -1249,7 +1249,7 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", @@ -1268,7 +1268,7 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", @@ -1287,7 +1287,7 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "SMBClient Security", "", @@ -1306,7 +1306,7 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "System", "", @@ -1569,7 +1569,7 @@ function GuideASD { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "Module", @@ -1588,7 +1588,7 @@ function GuideASD { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", @@ -1645,7 +1645,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", @@ -1663,7 +1663,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", @@ -1681,7 +1681,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", @@ -1700,7 +1700,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", @@ -1718,7 +1718,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", @@ -1736,7 +1736,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", @@ -1754,7 +1754,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", @@ -1773,7 +1773,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", @@ -1791,7 +1791,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", @@ -1809,7 +1809,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", @@ -1827,7 +1827,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", @@ -1845,7 +1845,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", @@ -1864,7 +1864,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", @@ -1882,7 +1882,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", @@ -1901,7 +1901,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", @@ -1919,7 +1919,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -1937,7 +1937,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -1955,7 +1955,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", @@ -1973,7 +1973,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", @@ -1991,7 +1991,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", @@ -2011,7 +2011,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -2029,7 +2029,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -2047,7 +2047,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", @@ -2065,7 +2065,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", @@ -2083,7 +2083,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", @@ -2101,7 +2101,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", @@ -2119,7 +2119,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", @@ -2137,7 +2137,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", @@ -2155,7 +2155,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", @@ -2173,7 +2173,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", @@ -2191,7 +2191,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", @@ -2209,7 +2209,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", @@ -2228,7 +2228,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", @@ -2246,7 +2246,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", @@ -2264,7 +2264,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", @@ -2282,7 +2282,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", @@ -2300,7 +2300,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", @@ -2318,7 +2318,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", @@ -2337,7 +2337,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", @@ -2355,7 +2355,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", @@ -2374,7 +2374,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -2392,7 +2392,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -2410,7 +2410,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", @@ -2428,7 +2428,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", @@ -2447,7 +2447,7 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", @@ -2466,7 +2466,7 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", @@ -2485,7 +2485,7 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "SMBClient Security", "", @@ -2766,7 +2766,7 @@ function GuideMSC { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "Module", @@ -2785,7 +2785,7 @@ function GuideMSC { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", @@ -2842,7 +2842,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", @@ -2860,7 +2860,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", @@ -2878,7 +2878,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", @@ -2897,7 +2897,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", @@ -2915,7 +2915,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", @@ -2933,7 +2933,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", @@ -2951,7 +2951,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", @@ -2970,7 +2970,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", @@ -2988,7 +2988,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", @@ -3006,7 +3006,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", @@ -3024,7 +3024,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", @@ -3042,7 +3042,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", @@ -3061,7 +3061,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", @@ -3079,7 +3079,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", @@ -3098,7 +3098,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", @@ -3116,7 +3116,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -3134,7 +3134,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -3152,7 +3152,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", @@ -3170,7 +3170,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", @@ -3188,7 +3188,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", @@ -3208,7 +3208,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -3226,7 +3226,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -3244,7 +3244,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", @@ -3262,7 +3262,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", @@ -3280,7 +3280,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", @@ -3298,7 +3298,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", @@ -3316,7 +3316,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", @@ -3334,7 +3334,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", @@ -3352,7 +3352,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", @@ -3370,7 +3370,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", @@ -3388,7 +3388,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", @@ -3406,7 +3406,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", @@ -3425,7 +3425,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", @@ -3443,7 +3443,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", @@ -3461,7 +3461,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", @@ -3479,7 +3479,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", @@ -3497,7 +3497,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", @@ -3515,7 +3515,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", @@ -3534,7 +3534,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", @@ -3552,7 +3552,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", @@ -3571,7 +3571,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -3589,7 +3589,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -3607,7 +3607,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", @@ -3625,7 +3625,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", @@ -3644,7 +3644,7 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", @@ -3663,7 +3663,7 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", @@ -3682,7 +3682,7 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "SMBClient Security", "", @@ -3962,7 +3962,7 @@ function GuideMSS { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "Module", @@ -3981,7 +3981,7 @@ function GuideMSS { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", @@ -4038,7 +4038,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", @@ -4056,7 +4056,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", @@ -4074,7 +4074,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", @@ -4093,7 +4093,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", @@ -4111,7 +4111,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", @@ -4129,7 +4129,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", @@ -4147,7 +4147,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", @@ -4166,7 +4166,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", @@ -4184,7 +4184,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", @@ -4202,7 +4202,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", @@ -4220,7 +4220,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", @@ -4238,7 +4238,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", @@ -4257,7 +4257,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", @@ -4275,7 +4275,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", @@ -4294,7 +4294,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", @@ -4312,7 +4312,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -4330,7 +4330,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -4348,7 +4348,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", @@ -4366,7 +4366,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", @@ -4384,7 +4384,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", @@ -4404,7 +4404,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -4422,7 +4422,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -4440,7 +4440,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", @@ -4458,7 +4458,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", @@ -4476,7 +4476,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", @@ -4494,7 +4494,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", @@ -4512,7 +4512,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", @@ -4530,7 +4530,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", @@ -4548,7 +4548,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", @@ -4566,7 +4566,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", @@ -4584,7 +4584,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", @@ -4602,7 +4602,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", @@ -4621,7 +4621,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", @@ -4639,7 +4639,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", @@ -4657,7 +4657,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", @@ -4675,7 +4675,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", @@ -4693,7 +4693,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", @@ -4711,7 +4711,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", @@ -4730,7 +4730,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", @@ -4748,7 +4748,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", @@ -4767,7 +4767,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -4785,7 +4785,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -4803,7 +4803,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", @@ -4821,7 +4821,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No auditing" } + $current = if ($enabled) { "Enabled" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", From ee605c8cd92a18d540829eefd7a37b541bf5a04b Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 14:48:53 +0900 Subject: [PATCH 09/15] feat: add currentsetting --- WELA.ps1 | 388 +++++++++++++++++++++++++++---------------------------- 1 file changed, 194 insertions(+), 194 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 39fc2bb1..d6717d2e 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -371,7 +371,7 @@ function GuideYamatoSecurity $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "Module", @@ -390,7 +390,7 @@ function GuideYamatoSecurity $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", @@ -447,7 +447,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", @@ -465,7 +465,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", @@ -483,7 +483,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", @@ -502,7 +502,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", @@ -520,7 +520,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", @@ -538,7 +538,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", @@ -556,7 +556,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", @@ -575,7 +575,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", @@ -593,7 +593,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", @@ -611,7 +611,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", @@ -629,7 +629,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", @@ -647,7 +647,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", @@ -666,7 +666,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", @@ -684,7 +684,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", @@ -703,7 +703,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", @@ -721,7 +721,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -739,7 +739,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -757,7 +757,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", @@ -775,7 +775,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", @@ -793,7 +793,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", @@ -813,7 +813,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -831,7 +831,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -849,7 +849,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", @@ -867,7 +867,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", @@ -885,7 +885,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", @@ -903,7 +903,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", @@ -921,7 +921,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", @@ -939,7 +939,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", @@ -957,7 +957,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", @@ -975,7 +975,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", @@ -993,7 +993,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", @@ -1011,7 +1011,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", @@ -1030,7 +1030,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", @@ -1048,7 +1048,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", @@ -1066,7 +1066,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", @@ -1084,7 +1084,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", @@ -1102,7 +1102,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", @@ -1120,7 +1120,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", @@ -1139,7 +1139,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", @@ -1157,7 +1157,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", @@ -1176,7 +1176,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -1194,7 +1194,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -1212,7 +1212,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", @@ -1230,7 +1230,7 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", @@ -1249,7 +1249,7 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", @@ -1268,7 +1268,7 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", @@ -1287,7 +1287,7 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "SMBClient Security", "", @@ -1306,7 +1306,7 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "System", "", @@ -1569,7 +1569,7 @@ function GuideASD { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "Module", @@ -1588,7 +1588,7 @@ function GuideASD { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", @@ -1645,7 +1645,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", @@ -1663,7 +1663,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", @@ -1681,7 +1681,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", @@ -1700,7 +1700,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", @@ -1718,7 +1718,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", @@ -1736,7 +1736,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", @@ -1754,7 +1754,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", @@ -1773,7 +1773,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", @@ -1791,7 +1791,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", @@ -1809,7 +1809,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", @@ -1827,7 +1827,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", @@ -1845,7 +1845,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", @@ -1864,7 +1864,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", @@ -1882,7 +1882,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", @@ -1901,7 +1901,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", @@ -1919,7 +1919,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -1937,7 +1937,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -1955,7 +1955,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", @@ -1973,7 +1973,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", @@ -1991,7 +1991,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", @@ -2011,7 +2011,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -2029,7 +2029,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -2047,7 +2047,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", @@ -2065,7 +2065,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", @@ -2083,7 +2083,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", @@ -2101,7 +2101,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", @@ -2119,7 +2119,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", @@ -2137,7 +2137,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", @@ -2155,7 +2155,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", @@ -2173,7 +2173,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", @@ -2191,7 +2191,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", @@ -2209,7 +2209,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", @@ -2228,7 +2228,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", @@ -2246,7 +2246,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", @@ -2264,7 +2264,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", @@ -2282,7 +2282,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", @@ -2300,7 +2300,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", @@ -2318,7 +2318,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", @@ -2337,7 +2337,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", @@ -2355,7 +2355,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", @@ -2374,7 +2374,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -2392,7 +2392,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -2410,7 +2410,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", @@ -2428,7 +2428,7 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", @@ -2447,7 +2447,7 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", @@ -2466,7 +2466,7 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", @@ -2485,7 +2485,7 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "SMBClient Security", "", @@ -2766,7 +2766,7 @@ function GuideMSC { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "Module", @@ -2785,7 +2785,7 @@ function GuideMSC { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", @@ -2842,7 +2842,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", @@ -2860,7 +2860,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", @@ -2878,7 +2878,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", @@ -2897,7 +2897,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", @@ -2915,7 +2915,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", @@ -2933,7 +2933,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", @@ -2951,7 +2951,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", @@ -2970,7 +2970,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", @@ -2988,7 +2988,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", @@ -3006,7 +3006,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", @@ -3024,7 +3024,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", @@ -3042,7 +3042,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", @@ -3061,7 +3061,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", @@ -3079,7 +3079,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", @@ -3098,7 +3098,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", @@ -3116,7 +3116,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -3134,7 +3134,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -3152,7 +3152,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", @@ -3170,7 +3170,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", @@ -3188,7 +3188,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", @@ -3208,7 +3208,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -3226,7 +3226,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -3244,7 +3244,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", @@ -3262,7 +3262,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", @@ -3280,7 +3280,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", @@ -3298,7 +3298,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", @@ -3316,7 +3316,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", @@ -3334,7 +3334,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", @@ -3352,7 +3352,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", @@ -3370,7 +3370,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", @@ -3388,7 +3388,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", @@ -3406,7 +3406,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", @@ -3425,7 +3425,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", @@ -3443,7 +3443,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", @@ -3461,7 +3461,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", @@ -3479,7 +3479,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", @@ -3497,7 +3497,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", @@ -3515,7 +3515,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", @@ -3534,7 +3534,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", @@ -3552,7 +3552,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", @@ -3571,7 +3571,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -3589,7 +3589,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -3607,7 +3607,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", @@ -3625,7 +3625,7 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", @@ -3644,7 +3644,7 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", @@ -3663,7 +3663,7 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", @@ -3682,7 +3682,7 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "SMBClient Security", "", @@ -3962,7 +3962,7 @@ function GuideMSS { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "Module", @@ -3981,7 +3981,7 @@ function GuideMSS { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", @@ -4038,7 +4038,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", @@ -4056,7 +4056,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", @@ -4074,7 +4074,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", @@ -4093,7 +4093,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", @@ -4111,7 +4111,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", @@ -4129,7 +4129,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", @@ -4147,7 +4147,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", @@ -4166,7 +4166,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", @@ -4184,7 +4184,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", @@ -4202,7 +4202,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", @@ -4220,7 +4220,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", @@ -4238,7 +4238,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", @@ -4257,7 +4257,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", @@ -4275,7 +4275,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", @@ -4294,7 +4294,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", @@ -4312,7 +4312,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -4330,7 +4330,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", @@ -4348,7 +4348,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", @@ -4366,7 +4366,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", @@ -4384,7 +4384,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", @@ -4404,7 +4404,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -4422,7 +4422,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", @@ -4440,7 +4440,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", @@ -4458,7 +4458,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", @@ -4476,7 +4476,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", @@ -4494,7 +4494,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", @@ -4512,7 +4512,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", @@ -4530,7 +4530,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", @@ -4548,7 +4548,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", @@ -4566,7 +4566,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", @@ -4584,7 +4584,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", @@ -4602,7 +4602,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", @@ -4621,7 +4621,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", @@ -4639,7 +4639,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", @@ -4657,7 +4657,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", @@ -4675,7 +4675,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", @@ -4693,7 +4693,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", @@ -4711,7 +4711,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", @@ -4730,7 +4730,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", @@ -4748,7 +4748,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", @@ -4767,7 +4767,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -4785,7 +4785,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", @@ -4803,7 +4803,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", @@ -4821,7 +4821,7 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Enabled" } else { "No Auditing" } + $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", From 0633cf3ee55be7430a913201647f9b93d71422c1 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 18:03:39 +0900 Subject: [PATCH 10/15] feat: add currentsetting --- WELA.ps1 | 800 ++++++++++++++++++++++++++++--------------------------- 1 file changed, 410 insertions(+), 390 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index d6717d2e..05e494a2 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -39,7 +39,7 @@ class WELA { } [void] SetApplicable([array] $Enabledguid) { - if ($this.Enabled) { + if ($this.CurrentSetting -ne "No Auditing") { foreach ($rule in $this.Rules) { $rule.applicable = $true } @@ -66,7 +66,7 @@ class WELA { [void] Output([string] $Format) { switch ($Format.ToLower()) { "std" { - $color = if ($this.CurrentSetting -eq "Enabled") { "Green" } else { "Red" } + $color = if ($this.CurrentSetting -eq "Enabled" -or $this.CurrentSetting -contains "Success" -or $this.CurrentSetting -contains "Failure") { "Green" } else { "Red" } $ruleCounts = "" $logEnabled = $this.CurrentSetting $allZero = $this.RulesCount.Values | Where-Object { $_ -ne 0 } | Measure-Object | Select-Object -ExpandProperty Count @@ -194,12 +194,32 @@ function CheckRegistryValue { return $false } } + +function GetAuditpol { + $mapping = @{} + Get-Content "./auditpol.txt" | Select-Object -Skip 3 | ForEach-Object { + if ([string]::IsNullOrWhiteSpace($_)) { + return + } + $columns = $_ -split ',' + + $guid = $columns[3].Trim() -replace '^\{|\}$', '' # 波括弧を削除 + $inclusionSetting = $columns[4].Trim() + if ($guid -and $inclusionSetting) { + $mapping[$guid] = $inclusionSetting + } + } + return $mapping +} + function GuideYamatoSecurity { param ( [object[]] $all_rules ) + $auditResult = @() + $auditpol = GetAuditpol # Application $guid = "" @@ -371,7 +391,7 @@ function GuideYamatoSecurity $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $current = $enabled ? "Enabled" : "Disabled" $auditResult += [WELA]::New( "PowerShell", "Module", @@ -390,7 +410,7 @@ function GuideYamatoSecurity $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $current = $enabled ? "Enabled" : "Disabled" $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", @@ -447,11 +467,10 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "Client and Server OSes: Success and Failure", @@ -465,11 +484,10 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "Client OS: No Auditing | Server OS: Success and Failure", @@ -483,11 +501,10 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "Domain Controllers: Success and Failure", @@ -502,11 +519,10 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "Domain Controllers: Success and Failure", @@ -520,11 +536,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -538,11 +554,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -556,11 +572,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -575,11 +591,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -593,11 +609,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -611,11 +627,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "No Auditing", @@ -629,11 +645,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -647,11 +663,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -666,11 +682,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "Client OS: No Auditing | ADDS Server: Success and Failure", @@ -684,11 +700,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Client OS: No Auditing | ADDS Server: Success and Failure", @@ -703,11 +719,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success and Failure", @@ -721,11 +737,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "No Auditing", @@ -739,11 +755,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "No Auditing", @@ -757,11 +773,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", - $current, + $auditpol[$guid], [array]$rules, "Client OS: Success | Server OS: Success and Failure", "Success and Failure", @@ -775,11 +791,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -793,11 +809,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success and Failure", @@ -813,11 +829,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure for AD CS role servers", @@ -831,11 +847,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "No Auditing", @@ -849,11 +865,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -867,11 +883,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Enable", @@ -885,11 +901,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -903,11 +919,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -921,11 +937,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -939,11 +955,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -957,11 +973,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -975,11 +991,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -993,11 +1009,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -1011,11 +1027,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -1030,11 +1046,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success and Failure", @@ -1048,11 +1064,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success and Failure", @@ -1066,11 +1082,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -1084,11 +1100,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -1102,11 +1118,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -1120,11 +1136,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "No Auditing ", @@ -1139,11 +1155,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "No Auditing", @@ -1157,11 +1173,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -1176,11 +1192,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $current, + $auditpol[$guid], [array]$rules, "Success and Failure", "", @@ -1194,11 +1210,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success and Failure", @@ -1212,11 +1228,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -1230,11 +1246,11 @@ function GuideYamatoSecurity $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", - $current, + $auditpol[$guid], [array]$rules, "Success and Failure", "Success and Failure", @@ -1249,11 +1265,11 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", - $current, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -1268,11 +1284,11 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", - $current, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -1287,11 +1303,11 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "SMBClient Security", "", - $current, + "Enabled", [array]$rules, "Enabled", "Enabled", @@ -1306,7 +1322,7 @@ function GuideYamatoSecurity $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "System", "", @@ -1398,6 +1414,7 @@ function GuideASD { ) $auditResult = @() + $auditpol = GetAuditpol # Application $guid = "" @@ -1569,11 +1586,11 @@ function GuideASD { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "PowerShell", "Module", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Enabled", @@ -1588,11 +1605,11 @@ function GuideASD { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", - $current, + $auditpol[$guid], [array]$rules, "Patially", "Enabled", @@ -1645,11 +1662,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "Success and Failure", @@ -1663,11 +1680,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -1681,11 +1698,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -1700,11 +1717,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "Success and Failure", @@ -1718,11 +1735,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -1736,11 +1753,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -1754,11 +1771,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -1773,11 +1790,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -1791,11 +1808,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success", @@ -1809,11 +1826,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success", @@ -1827,11 +1844,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "No Auditing", @@ -1845,11 +1862,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "No Auditing", @@ -1864,11 +1881,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -1882,11 +1899,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -1901,11 +1918,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", - $current, + $auditpol[$guid], [array]$rules, "Success", "Failure", @@ -1919,11 +1936,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success", @@ -1937,11 +1954,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success", @@ -1955,11 +1972,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", - $current, + $auditpol[$guid], [array]$rules, "Client OS: Success | Server OS: Success and Failure", "Success and Failure", @@ -1973,11 +1990,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -1991,11 +2008,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success and Failure", @@ -2011,11 +2028,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2029,11 +2046,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "No Auditing", @@ -2047,11 +2064,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -2065,11 +2082,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2083,11 +2100,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2101,11 +2118,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2119,11 +2136,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -2137,11 +2154,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2155,11 +2172,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -2173,11 +2190,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -2191,11 +2208,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2209,11 +2226,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2228,11 +2245,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success and Failure", @@ -2246,11 +2263,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", - $current, + $auditpol[$guid], [array]$rules, "Success", "", @@ -2264,11 +2281,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2282,11 +2299,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2300,11 +2317,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2318,11 +2335,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -2337,11 +2354,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2355,11 +2372,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2374,11 +2391,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $current, + $auditpol[$guid], [array]$rules, "Success and Failure", "", @@ -2392,11 +2409,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $current, + $auditpol[$guid], [array]$rules, "Success", "", @@ -2410,11 +2427,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2428,11 +2445,11 @@ function GuideASD { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", - $current, + $auditpol[$guid], [array]$rules, "Success and Failure", "Success and Failure", @@ -2447,11 +2464,11 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", - $current, + "Enabled", [array]$rules, "Enabled", "", @@ -2466,11 +2483,11 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", - $current, + "Enabled", [array]$rules, "Enabled", "", @@ -2485,11 +2502,11 @@ function GuideASD { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "SMBClient Security", "", - $current, + "Enabled", [array]$rules, "Enabled", "", @@ -2595,6 +2612,7 @@ function GuideMSC { ) $auditResult = @() + $auditpol = GetAuditpol # Application $guid = "" @@ -2766,11 +2784,11 @@ function GuideMSC { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "PowerShell", "Module", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2785,11 +2803,11 @@ function GuideMSC { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", - $current, + $auditpol[$guid], [array]$rules, "Patially", "", @@ -2842,11 +2860,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "Success and Failure", @@ -2860,11 +2878,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -2878,11 +2896,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -2897,11 +2915,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "Success", @@ -2915,11 +2933,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success", @@ -2933,11 +2951,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success", @@ -2951,11 +2969,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success", @@ -2970,11 +2988,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -2988,11 +3006,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success", @@ -3006,11 +3024,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3024,11 +3042,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3042,11 +3060,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3061,11 +3079,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -3079,11 +3097,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3098,11 +3116,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", - $current, + $auditpol[$guid], [array]$rules, "Success", "Failure", @@ -3116,11 +3134,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success", @@ -3134,11 +3152,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success", @@ -3152,11 +3170,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", - $current, + $auditpol[$guid], [array]$rules, "Client OS: Success | Server OS: Success and Failure", "Success and Failure", @@ -3170,11 +3188,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -3188,11 +3206,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success", @@ -3208,11 +3226,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3226,11 +3244,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3244,11 +3262,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -3262,11 +3280,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3280,11 +3298,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3298,11 +3316,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3316,11 +3334,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -3334,11 +3352,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3352,11 +3370,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -3370,11 +3388,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -3388,11 +3406,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3406,11 +3424,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3425,11 +3443,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success and Failure", @@ -3443,11 +3461,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success", @@ -3461,11 +3479,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3479,11 +3497,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3497,11 +3515,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3515,11 +3533,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -3534,11 +3552,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3552,11 +3570,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3571,11 +3589,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $current, + $auditpol[$guid], [array]$rules, "Success and Failure", "", @@ -3589,11 +3607,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success and Failure", @@ -3607,11 +3625,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3625,11 +3643,11 @@ function GuideMSC { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", - $current, + $auditpol[$guid], [array]$rules, "Success and Failure", "Success and Failure", @@ -3644,11 +3662,11 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security-Mitigations KernelMode", "", - $current, + "Enabled", [array]$rules, "Enabled", "", @@ -3663,11 +3681,11 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security-Mitigations UserMode", "", - $current, + "Enabled", [array]$rules, "Enabled", "", @@ -3682,11 +3700,11 @@ function GuideMSC { $enabled = $true $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "SMBClient Security", "", - $current, + "Enabled", [array]$rules, "Enabled", "", @@ -3792,6 +3810,8 @@ function GuideMSS { ) $auditResult = @() + $auditpol = GetAuditpol + # Application $guid = "" $eids = @() @@ -3962,11 +3982,11 @@ function GuideMSS { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "PowerShell", "Module", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -3981,11 +4001,11 @@ function GuideMSS { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", - $current, + $auditpol[$guid], [array]$rules, "Patially", "", @@ -4038,11 +4058,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Credential Validation", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "Success and Failure", @@ -4056,11 +4076,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Authentication Service", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -4074,11 +4094,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "", @@ -4093,11 +4113,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Computer Account Management", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "Success and Failure", @@ -4111,11 +4131,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Other Account Management Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -4129,11 +4149,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "Security Group Management", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -4147,11 +4167,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Account Management)", "User Account Management", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -4166,11 +4186,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Plug and Play Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4184,11 +4204,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Creation", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success", @@ -4202,11 +4222,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Process Termination", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4220,11 +4240,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "RPC Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4238,11 +4258,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4257,11 +4277,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Access", - $current, + $auditpol[$guid], [array]$rules, "Client OS: No Auditing | Server OS: Success", "Success and Failure", @@ -4275,11 +4295,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (DS Access)", "Directory Service Changes", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -4294,11 +4314,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Account Lockout", - $current, + $auditpol[$guid], [array]$rules, "Success", "Failure", @@ -4312,11 +4332,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success", @@ -4330,11 +4350,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Group Membership", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success", @@ -4348,11 +4368,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Logon", - $current, + $auditpol[$guid], [array]$rules, "Client OS: Success | Server OS: Success and Failure", "Success and Failure", @@ -4366,11 +4386,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -4384,11 +4404,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Logon/Logoff)", "Special Logon", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success", @@ -4404,11 +4424,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4422,11 +4442,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Certification Services", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4440,11 +4460,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File Share", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -4458,11 +4478,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "File System", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4476,11 +4496,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Connection", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4494,11 +4514,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Filtering Platform Packet Drop", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4512,11 +4532,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Kernel Object", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -4530,11 +4550,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Handle Manipulation", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4548,11 +4568,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Other Object Access Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -4566,11 +4586,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Registry", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -4584,11 +4604,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "Removable Storage", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4602,11 +4622,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Object Access)", "SAM", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4621,11 +4641,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Audit Policy Change", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success and Failure", @@ -4639,11 +4659,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authentication Policy Change", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success", @@ -4657,11 +4677,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Authorization Policy Change", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4675,11 +4695,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Filtering Platform Policy Change", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4693,11 +4713,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4711,11 +4731,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Policy Change)", "Other Policy Change Events", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -4730,11 +4750,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4748,11 +4768,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (Privilege Use)", "Sensitive Privilege Use", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "", @@ -4767,11 +4787,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $current, + $auditpol[$guid], [array]$rules, "Success and Failure", "", @@ -4785,11 +4805,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "Other System Events", - $current, + $auditpol[$guid], [array]$rules, "Success", "Success and Failure", @@ -4803,11 +4823,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "Security System Extension", - $current, + $auditpol[$guid], [array]$rules, "No Auditing", "Success and Failure", @@ -4821,11 +4841,11 @@ function GuideMSS { $channels = @("sec") $enabled = $enabledguid -contains $guid $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid - $current = if ($enabled) { "Success and Failure" } else { "No Auditing" } + $auditResult += [WELA]::New( "Security Advanced (System)", "System Integrity", - $current, + $auditpol[$guid], [array]$rules, "Success and Failure", "Success and Failure", @@ -5040,8 +5060,8 @@ function AuditLogSetting { if ($outType -eq "std") { $auditResult | Group-Object -Property Category | ForEach-Object { - $enabledCount = ($_.Group | Where-Object { $_.CurrentSetting -eq "Enabled" } | ForEach-Object { $_.Rules.Count } | Measure-Object -Sum).Sum - $disabledCount = ($_.Group | Where-Object { $_.CurrentSetting -ne "Enabled" } | ForEach-Object { $_.Rules.Count } | Measure-Object -Sum).Sum + $enabledCount = ($_.Group | Where-Object { $_.CurrentSetting -ne "No Auditing" } | ForEach-Object { $_.Rules.Count } | Measure-Object -Sum).Sum + $disabledCount = ($_.Group | Where-Object { $_.CurrentSetting -eq "No Auditing" } | ForEach-Object { $_.Rules.Count } | Measure-Object -Sum).Sum $out = "" $color = "" if ($disabledCount -eq 0 -and $enabledCount -ne 0){ @@ -5062,7 +5082,7 @@ function AuditLogSetting { if ($enabledCount + $disabledCount -ne 0) { $enabledPercentage = "({0:N2}%)" -f (($enabledCount / ($enabledCount + $disabledCount)) * 100) } - if ($_.Name -notmatch "Powershell" -and $_.Name -notmatch "Security") { + if ($_.Name -notmatch "Powershell" -and $_.Name -notmatch "Security Advanced " -and $_.Name -notcontains "PrintService") { $enabledPercentage = "" } Write-Host "$( $_.Name ): $out$($enabledPercentage)" -ForegroundColor $color From b4b18408f9957014bfa8d2727e82f5b6beb558de Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 18:05:43 +0900 Subject: [PATCH 11/15] feat: add currentsetting --- WELA.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 05e494a2..885594d4 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -391,7 +391,7 @@ function GuideYamatoSecurity $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = $enabled ? "Enabled" : "Disabled" + $current = if ($enabled) { "Enabled" } else { "Disabled"} $auditResult += [WELA]::New( "PowerShell", "Module", @@ -410,7 +410,7 @@ function GuideYamatoSecurity $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = $enabled ? "Enabled" : "Disabled" + $current = if ($enabled) { "Enabled" } else { "Disabled"} $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", From f76fe351c45667da27f418916dda7bd530587305 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 18:18:56 +0900 Subject: [PATCH 12/15] feat: add currentsetting --- WELA.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 885594d4..f34ce005 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -391,7 +391,7 @@ function GuideYamatoSecurity $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled"} + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "Module", @@ -410,7 +410,7 @@ function GuideYamatoSecurity $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - $current = if ($enabled) { "Enabled" } else { "Disabled"} + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", @@ -5082,7 +5082,7 @@ function AuditLogSetting { if ($enabledCount + $disabledCount -ne 0) { $enabledPercentage = "({0:N2}%)" -f (($enabledCount / ($enabledCount + $disabledCount)) * 100) } - if ($_.Name -notmatch "Powershell" -and $_.Name -notmatch "Security Advanced " -and $_.Name -notcontains "PrintService") { + if ($_.Name -notmatch "Powershell" -and $_.Name -notcontains "Security Advanced" -and $_.Name -notcontains "PrintService") { $enabledPercentage = "" } Write-Host "$( $_.Name ): $out$($enabledPercentage)" -ForegroundColor $color From 4673db21f00df6711527c45117392f14ee48b9c7 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 18:22:29 +0900 Subject: [PATCH 13/15] feat: add currentsetting --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index f34ce005..05bcef56 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5082,7 +5082,7 @@ function AuditLogSetting { if ($enabledCount + $disabledCount -ne 0) { $enabledPercentage = "({0:N2}%)" -f (($enabledCount / ($enabledCount + $disabledCount)) * 100) } - if ($_.Name -notmatch "Powershell" -and $_.Name -notcontains "Security Advanced" -and $_.Name -notcontains "PrintService") { + if ($_.Name -notmatch "Powershell" -and $_.Name -notmatch "Security Advanced" -and $_.Name -notmatch "PrintService") { $enabledPercentage = "" } Write-Host "$( $_.Name ): $out$($enabledPercentage)" -ForegroundColor $color From 3daf3bb055d0515d5952a5c8abade5f27f407560 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 18:23:54 +0900 Subject: [PATCH 14/15] feat: add currentsetting --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 05bcef56..2f9847ea 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5082,7 +5082,7 @@ function AuditLogSetting { if ($enabledCount + $disabledCount -ne 0) { $enabledPercentage = "({0:N2}%)" -f (($enabledCount / ($enabledCount + $disabledCount)) * 100) } - if ($_.Name -notmatch "Powershell" -and $_.Name -notmatch "Security Advanced" -and $_.Name -notmatch "PrintService") { + if ($_.Name -notmatch "Powershell" -and $_.Name -notmatch "Security Advanced") { $enabledPercentage = "" } Write-Host "$( $_.Name ): $out$($enabledPercentage)" -ForegroundColor $color From 0cd793dbcb1760c4780350f8b6e915b75639495b Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 16 May 2025 18:29:05 +0900 Subject: [PATCH 15/15] feat: add currentsetting --- WELA.ps1 | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 2f9847ea..c81ac155 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1586,11 +1586,11 @@ function GuideASD { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "Module", - $auditpol[$guid], + $current, [array]$rules, "No Auditing", "Enabled", @@ -1605,11 +1605,11 @@ function GuideASD { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", - $auditpol[$guid], + $current, [array]$rules, "Patially", "Enabled", @@ -2784,11 +2784,11 @@ function GuideMSC { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "Module", - $auditpol[$guid], + $current, [array]$rules, "No Auditing", "", @@ -2803,11 +2803,11 @@ function GuideMSC { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", - $auditpol[$guid], + $current, [array]$rules, "Patially", "", @@ -3982,11 +3982,11 @@ function GuideMSS { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "Module", - $auditpol[$guid], + $current, [array]$rules, "No Auditing", "", @@ -4001,11 +4001,11 @@ function GuideMSS { $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } - + $current = if ($enabled) { "Enabled" } else { "Disabled" } $auditResult += [WELA]::New( "PowerShell", "ScriptBlock", - $auditpol[$guid], + $current, [array]$rules, "Patially", "",