From ca17906fe906bf52e85b33835660c8e510c334ae Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 8 May 2025 11:28:28 +0900 Subject: [PATCH 1/3] chg: separate size recommend --- WELA.ps1 | 144 +++++++++++++++++++++++++++---------------------------- 1 file changed, 72 insertions(+), 72 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 342968fb..dc9ac296 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -215,8 +215,8 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 20 MB", - "Enabled. 128 MB+", + "Enabled", + "Enabled", "", "" ) @@ -233,10 +233,10 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled if AppLocker is enabled? 1 MB", - "Enabled. 256 MB+", + "Enabled", + "Enabled", "", - "" + "Enabled if AppLocker is enabled?" ) # Bits-Client Operational @@ -251,8 +251,8 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 1 MB", - "Enabled. 256 MB+", + "Enabled", + "Enabled", "", "" ) @@ -269,8 +269,8 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 1 MB", - "Enabled. 256 MB+", + "Enabled", + "Enabled", "", "" ) @@ -287,8 +287,8 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 1 MB", - "Enabled. 256 MB+", + "Enabled", + "Enabled", "", "" ) @@ -305,8 +305,8 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 1 MB", - "Enabled. 256 MB+", + "Enabled", + "Enabled", "", "" ) @@ -323,8 +323,8 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 1 MB", - "Enabled. 256 MB+", + "Enabled", + "Enabled", "", "" ) @@ -341,10 +341,10 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 1 MB", - "This log is recommended to enable if you want to disable NTLM authentication", + "Enabled", + "Enabled", "", - "" + "This log is recommended to enable if you want to disable NTLM authentication" ) # PowerShell @@ -360,7 +360,7 @@ function AuditLogSetting { "Classic", $enabled, [array]$rules, - "Enabled. 15 MB", + "Enabled", "Enabled", "", "" @@ -396,10 +396,10 @@ function AuditLogSetting { "ScriptBlock", $enabled, [array]$rules, - "On Win 10/2016+, if a PowerShell script is flagged as suspicious by AMSI, it will be logged with a level of Warning", + "Patially Enabled", "Enabled", "High", - "" + "On Win 10/2016+, if a PowerShell script is flagged as suspicious by AMSI, it will be logged with a level of Warning in default setting" ) # PrintService Admin @@ -414,8 +414,8 @@ function AuditLogSetting { "PrintService Admin", $enabled, [array]$rules, - "Enabled. 1 MB", - "Enabled. 256 MB+", + "Enabled", + "Enabled", "", "" ) @@ -432,8 +432,8 @@ function AuditLogSetting { "PrintService Operational", $enabled, [array]$rules, - "Enabled. 1 MB", - "Enabled. 256 MB+", + "Enabled", + "Enabled", "", "" ) @@ -591,9 +591,9 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "Success and Failure if sysmon is not configured", + "Success and Failure", "High", - "" + "if sysmon is not configured" ) #### Process Termination @@ -608,9 +608,9 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "No Auditing unless you want to track the lifespan of processes", + "No Auditing", "High", - "" + "unless you want to track the lifespan of processes" ) #### RPC Events @@ -625,7 +625,7 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "Unknown. Needs testing", + "", "High on RPC servers (According to Microsoft)", "" ) @@ -642,8 +642,8 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "Unknown. Needs testing", - "Unknown", + "", + "", "" ) @@ -816,9 +816,9 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "No Auditing due to the high noise level. Enable if you can though", + "No Auditing", "Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement", - "" + "Due to the high noise level. Enable if you can though" ) #### File Share @@ -850,9 +850,9 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "Enable SACLs just for sensitive files", + "Enable", "Depends on SACL rules", - "" + "Enable SACLs just for sensitive files" ) #### Filtering Platform Connection @@ -867,9 +867,9 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though", + "Success and Failure", "High", - "" + "Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though" ) #### Filtering Platform Packet Drop @@ -884,9 +884,9 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "Success and Failure for AD CS role servers", + "Success and Failure", "High", - "" + "for AD CS role servers" ) #### Kernel Object @@ -901,9 +901,9 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events", + "Success and Failure", "High if auditing access of global object access is enabled", - "" + "Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events" ) #### Handle Manipulation @@ -952,9 +952,9 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "Set SACLs for only the registry keys that you want to monitor", + "Success and Failure", "Depends on SACLs", - "" + "Set SACLs for only the registry keys that you want to monitor" ) #### Removable Storage @@ -969,9 +969,9 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "Success and Failure if you want to monitor external device usage", + "Success and Failure", "Depends on how much removable storage is used", - "" + "if you want to monitor external device usage" ) #### SAM @@ -986,9 +986,9 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "Success and Failure for AD CS role servers", + "Success and Failure", "Success and Failure if you can but may cause too high volume of noise so should be tested beforehand", - "" + "for AD CS role servers" ) ### Policy Change @@ -1038,7 +1038,7 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "Unknown. Needs testing", + "", "Medium to High", "" ) @@ -1055,7 +1055,7 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "Unknown, Needs testing", + "", "Low", "" ) @@ -1072,7 +1072,7 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "Unknown, Needs testing", + "", "Low", "" ) @@ -1089,9 +1089,9 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.)", + "No Auditing ", "Low", - "" + "ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated" ) ### Privilege Use @@ -1124,9 +1124,9 @@ function AuditLogSetting { $enabled, [array]$rules, "No Auditing", - "Success and Failure However, this may be too noisy", + "Success and Failure", "High", - "" + "However, this may be too noisy" ) ### System @@ -1142,7 +1142,7 @@ function AuditLogSetting { $enabled, [array]$rules, "Success and Failure", - "Unknown. Needs testing", + "", "Low", "" ) @@ -1210,8 +1210,8 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 1 MB", - "Enabled. 256 MB+", + "Enabled", + "Enabled", "", "" ) @@ -1228,8 +1228,8 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 1 MB", - "Enabled. 256 MB+", + "Enabled", + "Enabled", "", "" ) @@ -1246,8 +1246,8 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 8 MB", - "Enabled. 128 MB+", + "Enabled", + "Enabled", "", "" ) @@ -1264,8 +1264,8 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 20 MB", - "Enabled. 128 MB+", + "Enabled", + "Enabled", "", "" ) @@ -1282,8 +1282,8 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 1 MB", - "Enabled. 128 MB+", + "Enabled", + "Enabled", "", "" ) @@ -1300,8 +1300,8 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 1 MB", - "Enabled. 128 MB+", + "Enabled", + "Enabled", "", "" ) @@ -1318,8 +1318,8 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 1 MB", - "Enabled. 128 MB+", + "Enabled", + "Enabled", "", "" ) @@ -1336,8 +1336,8 @@ function AuditLogSetting { "", $enabled, [array]$rules, - "Enabled. 1 MB", - "Enabled. 128 MB+", + "Enabled", + "Enabled", "", "" ) From 1171ebb4729fd68169b655a435846841adbecc26 Mon Sep 17 00:00:00 2001 From: Fukusuke Takahashi <41001169+fukusuket@users.noreply.github.com> Date: Thu, 8 May 2025 11:30:11 +0900 Subject: [PATCH 2/3] Update WELA.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index dc9ac296..c94cb9d1 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -396,7 +396,7 @@ function AuditLogSetting { "ScriptBlock", $enabled, [array]$rules, - "Patially Enabled", + "Partially Enabled", "Enabled", "High", "On Win 10/2016+, if a PowerShell script is flagged as suspicious by AMSI, it will be logged with a level of Warning in default setting" From 3ec6637c2d922c19f111691ce7e3d2ce3223cedb Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 8 May 2025 12:30:17 +0900 Subject: [PATCH 3/3] fix: count 0 bug --- WELA.ps1 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index c94cb9d1..64017b01 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -74,9 +74,12 @@ if (-not $count) { $count = 0 # 明示的に0を設定しないと空文字列に変換されるため } - $ruleCounts += "info:$([string]$count)" + $ruleCounts += "info: $([string]$count)" } else { - $ruleCounts += "$($level):$($count), " + if (-not $count) { + $count = 0 # 明示的に0を設定しないと空文字列に変換されるため + } + $ruleCounts += "$($level): $($count), " } } $ruleCounts += ")"