From b8b591f41e8049da15e04d2bcf17b69a8afa196b Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 16 Nov 2025 17:14:22 +0900 Subject: [PATCH 1/3] fix: update default auditing values in WELA.ps1 --- WELA.ps1 | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index f5b9985c..4bc9f89e 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -578,7 +578,7 @@ function GuideYamatoSecurity "Other Account Management Events", $auditpol[$guid], [array]$rules, - "No Auditing", + "Success", "Success and Failure", "Low", "" @@ -596,7 +596,7 @@ function GuideYamatoSecurity "Security Group Management", $auditpol[$guid], [array]$rules, - "No Auditing", + "Success", "Success and Failure", "Low", "" @@ -1384,7 +1384,7 @@ function GuideYamatoSecurity "", $current, [array]$rules, - "Enabled", + "Disabled", "Enabled", "", "" @@ -1815,7 +1815,7 @@ function GuideASD { "Other Account Management Events", $auditpol[$guid], [array]$rules, - "No Auditing", + "Success", "Success and Failure", "", "" @@ -1833,7 +1833,7 @@ function GuideASD { "Security Group Management", $auditpol[$guid], [array]$rules, - "No Auditing", + "Success", "Success and Failure", "", "" @@ -2621,7 +2621,7 @@ function GuideASD { "", $current, [array]$rules, - "Enabled", + "Disabled", "", "", "" @@ -3052,7 +3052,7 @@ function GuideMSC { "Other Account Management Events", $auditpol[$guid], [array]$rules, - "No Auditing", + "Success", "Success", "", "" @@ -3070,7 +3070,7 @@ function GuideMSC { "Security Group Management", $auditpol[$guid], [array]$rules, - "No Auditing", + "Success", "Success", "", "" @@ -3858,7 +3858,7 @@ function GuideMSC { "", $current, [array]$rules, - "Enabled", + "Disabled", "", "", "" @@ -4289,7 +4289,7 @@ function GuideMSS { "Other Account Management Events", $auditpol[$guid], [array]$rules, - "No Auditing", + "Success", "Success and Failure", "", "" @@ -4307,7 +4307,7 @@ function GuideMSS { "Security Group Management", $auditpol[$guid], [array]$rules, - "No Auditing", + "Success", "Success and Failure", "", "" @@ -5095,7 +5095,7 @@ function GuideMSS { "", $current, [array]$rules, - "Enabled", + "Disabled", "", "", "" From 9d2d60a77aa81f45d60cee8c8a2a091c585fb4aa Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 16 Nov 2025 17:26:38 +0900 Subject: [PATCH 2/3] fix: adjust default value for PowerShell operational logging --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 4bc9f89e..3daa2971 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5412,7 +5412,7 @@ function AuditFileSize { "Microsoft-Windows-Crypto-DPAPI/Debug" = @("1 MB", "128 MB+") "Microsoft-Windows-DriverFrameworks-UserMode/Operational" = @("1 MB", "128 MB+") "Microsoft-Windows-NTLM/Operational" = @("1 MB", "128 MB+") - "Microsoft-Windows-PowerShell/Operational" = @("20 MB", "256 MB+") + "Microsoft-Windows-PowerShell/Operational" = @("15 MB", "256 MB+") "Microsoft-Windows-PrintService/Admin" = @("1 MB", "128 MB+") "Microsoft-Windows-PrintService/Operational" = @("1 MB", "128 MB+") "Microsoft-Windows-Security-Mitigations/KernelMode" = @("1 MB", "128 MB+") From 7a8ce70e166c29520038ceea9efe68eac77f225e Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 16 Nov 2025 19:05:38 +0900 Subject: [PATCH 3/3] fix: update default auditing values in WELA.ps1 --- WELA.ps1 | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 3daa2971..0826840c 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -578,7 +578,7 @@ function GuideYamatoSecurity "Other Account Management Events", $auditpol[$guid], [array]$rules, - "Success", + "No Auditing", "Success and Failure", "Low", "" @@ -614,7 +614,7 @@ function GuideYamatoSecurity "User Account Management", $auditpol[$guid], [array]$rules, - "No Auditing", + "Success", "Success and Failure", "Low", "" @@ -1815,7 +1815,7 @@ function GuideASD { "Other Account Management Events", $auditpol[$guid], [array]$rules, - "Success", + "No Auditing", "Success and Failure", "", "" @@ -1851,7 +1851,7 @@ function GuideASD { "User Account Management", $auditpol[$guid], [array]$rules, - "No Auditing", + "Success", "Success and Failure", "", "" @@ -3052,7 +3052,7 @@ function GuideMSC { "Other Account Management Events", $auditpol[$guid], [array]$rules, - "Success", + "No Auditing", "Success", "", "" @@ -3088,7 +3088,7 @@ function GuideMSC { "User Account Management", $auditpol[$guid], [array]$rules, - "No Auditing", + "Success", "Success", "", "" @@ -4289,7 +4289,7 @@ function GuideMSS { "Other Account Management Events", $auditpol[$guid], [array]$rules, - "Success", + "No Auditing", "Success and Failure", "", "" @@ -4325,7 +4325,7 @@ function GuideMSS { "User Account Management", $auditpol[$guid], [array]$rules, - "No Auditing", + "Success", "Success and Failure", "", ""