diff --git a/WELA.ps1 b/WELA.ps1 index 64017b01..8836a636 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1,4 +1,11 @@ -class WELA { +param ( + [string]$Cmd, + [string]$OutType = "std", + [string]$Guide = "YamatoSecurity", + [bool]$Debug = $false +) + +class WELA { static [array] $Levels = @('critical', 'high', 'medium', 'low', 'informational') [string] $Category [string] $SubCategory @@ -184,46 +191,12 @@ function CheckRegistryValue { return $false } } - -function AuditLogSetting { +function GuideYamatoSecurity +{ param ( - [string] $outType, - [bool] $debug + [object[]] $all_rules ) - $autidpolTxt = "./auditpol.txt" - if (-not $debug) { - Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt - } - $enabledguid = [System.Collections.Generic.HashSet[string]]::new() - Get-Content -Path $autidpolTxt | Select-String -NotMatch "No Auditing" | ForEach-Object { - if ($_ -match '{(.*?)}') { - [void]$enabledguid.Add($matches[1]) - } - } - $all_rules = Get-Content -Path "config/security_rules.json" -Raw | ConvertFrom-Json - $all_rules | ForEach-Object { - $_ | Add-Member -MemberType NoteProperty -Name "applicable" -Value $false - } $auditResult = @() - - # Application - $guid = "" - $eids = @() - $channels = @("Application") - $enabled = $true - $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } - $rules | ForEach-Object { $_.applicable = $enabled } - $auditResult += [WELA]::New( - "Application", - "", - $enabled, - [array]$rules, - "Enabled", - "Enabled", - "", - "" - ) - # Applocker $guid = "" $eids = @() @@ -1344,6 +1317,3482 @@ function AuditLogSetting { "", "" ) + return $auditResult +} + +function GuideASD { + param ( + [object[]] $all_rules + ) + + $auditResult = @() + # Application + $guid = "" + $eids = @() + $channels = @("Application") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Application", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Applocker + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-AppLocker/MSI and Script", "Microsoft-Windows-AppLocker/EXE and DLL", "Microsoft-Windows-AppLocker/Packaged app-Deployment", "Microsoft-Windows-AppLocker/Packaged app-Execution") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Applocker", + "", + $enabled, + [array]$rules, + "Enabled", + "Enabled", + "", + "" + ) + + # Bits-Client Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Bits-Client/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Bits-Client Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # CodeIntegrity Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-CodeIntegrity/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "CodeIntegrity Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Diagnosis-Scripted Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Diagnosis-Scripted/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Diagnosis-Scripted Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # DriverFrameworks-UserMode Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-DriverFrameworks-UserMode/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "DriverFrameworks-UserMode Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Firewall + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Windows Firewall With Advanced Security/Firewall") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Firewall", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # NTLM Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Diagnosis-Scripted/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Microsoft-Windows-NTLM/Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # PowerShell + ## Classic + $guid = "" + $eids = @("400") + $channels = @("pwsh") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Classic", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + ## Module + $guid = "" + $eids = @("4103") + $channels = @("pwsh") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Module", + $enabled, + [array]$rules, + "No Auditing", + "Enabled", + "", + "" + ) + + ## ScriptBlock + $guid = "" + $eids = @("4104") + $channels = @("pwsh") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "ScriptBlock", + $enabled, + [array]$rules, + "Patially", + "Enabled", + "", + "" + ) + + # PrintService Admin + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-PrintService/Admin") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PrintService", + "PrintService Admin", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # PrintService Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-PrintService/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PrintService", + "PrintService Operational", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Security + ## Advanced + ### Account Logon + #### Credential Validation + $guid = "0CCE923F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Credential Validation", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "Success and Failure", + "", + "" + ) + + #### Kerberos Authentication Service + $guid = "0CCE9242-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Authentication Service", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + #### Kerberos Service Ticket Operations + $guid = "0CCE9240-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Service Ticket Operations", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + ### Account Management + #### Computer Account Management + $guid = "0CCE9236-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Computer Account Management", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "Success and Failure", + "", + "" + ) + + #### Other Account Management Events + $guid = "0CCE923A-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Other Account Management Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Security Group Management + $guid = "0CCE9237-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Security Group Management", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### User Account Management + $guid = "0CCE9235-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "User Account Management", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + ### Detailed Tracking + #### Plug and Play Events + $guid = "0CCE9248-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Plug and Play Events", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Process Creation + $guid = "0CCE922B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Creation", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "Include command line in process creation events" + ) + + #### Process Termination + $guid = "0CCE922C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Termination", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### RPC Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "RPC Events", + $enabled, + [array]$rules, + "No Auditing", + "No Auditing", + "", + "" + ) + + #### Token Right Adjusted Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Token Right Adjusted Events", + $enabled, + [array]$rules, + "No Auditing", + "No Auditing", + "", + "" + ) + + ### DS (Directory Service) Access + #### Directory Service Access + $guid = "0CCE923B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Access", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + #### Directory Service Changes + $guid = "0CCE923C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Changes", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### Logon/Logoff + #### Account Lockout + $guid = "0CCE9217-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Account Lockout", + $enabled, + [array]$rules, + "Success", + "Failure", + "", + "" + ) + + #### Group Membership + $guid = "0CCE9249-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### Logoff + $guid = "0CCE9216-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### Logon + $guid = "0CCE9215-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Logon", + $enabled, + [array]$rules, + "Client OS: Success | Server OS: Success and Failure", + "Success and Failure", + "", + "" + ) + + #### Other Logon/Logoff Events + $guid = "0CCE921C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Other Logon/Logoff Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Special Logon + $guid = "0CCE921B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Special Logon", + $enabled, + [array]$rules, + "Success", + "Success and Failure", + "", + "" + ) + + + ### Object Access + #### Certification Services + $guid = "0CCE9221-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Detailed File Share + $guid = "0CCE9244-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + [array]$rules, + "No Auditing", + "No Auditing", + "", + "Enabling this setting is not recommended due to the high noise level)" + ) + + #### File Share + $guid = "0CCE9224-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File Share", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### File System + $guid = "0CCE921D-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File System", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Connection + $guid = "0CCE9226-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Connection", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Packet Drop + $guid = "0CCE9225-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Packet Drop", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Kernel Object + $guid = "0CCE921F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Kernel Object", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Handle Manipulation + $guid = "0CCE9223-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Handle Manipulation", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Other Object Access Events + $guid = "0CCE9227-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Other Object Access Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Registry + $guid = "0CCE921E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Registry", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Removable Storage + $guid = "0CCE9245-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Removable Storage", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### SAM + $guid = "0CCE9220-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "SAM", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### Policy Change + #### Audit Policy Change + $guid = "0CCE922F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Audit Policy Change", + $enabled, + [array]$rules, + "Success", + "Success and Failure", + "", + "" + ) + + #### Authentication Policy Change + $guid = "0CCE9230-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authentication Policy Change", + $enabled, + [array]$rules, + "Success", + "", + "", + "" + ) + + #### Authorization Policy Change + $guid = "0CCE9231-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authorization Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Policy Change + $guid = "0CCE9233-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Filtering Platform Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### MPSSVC Rule-Level Policy Change + $guid = "0CCE9232-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "MPSSVC Rule-Level Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Other Policy Change Events + $guid = "0CCE9234-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Other Policy Change Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + ### Privilege Use + #### Non-Sensitive Privilege Use + $guid = "0CCE9229-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Non-Sensitive Privilege Use", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Sensitive Privilege Use + $guid = "0CCE9228-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Sensitive Privilege Use", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### System + #### Other System Events + $guid = "0CCE9214-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + [array]$rules, + "Success and Failure", + "", + "", + "" + ) + + #### Security State Change + $guid = "0CCE9210-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + [array]$rules, + "Success", + "", + "", + "" + ) + + #### Security System Extension + $guid = "0CCE9211-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Security System Extension", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### System Integrity + $guid = "0CCE9212-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "System Integrity", + $enabled, + [array]$rules, + "Success and Failure", + "Success and Failure", + "", + "" + ) + + # Security-Mitigations KernelMode + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Security-Mitigations*") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Security-Mitigations KernelMode", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Security-Mitigations UserMode + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Security-Mitigations*") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Security-Mitigations UserMode", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # SMBClient Security + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-SmbClient/Security") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "SMBClient Security", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # System + $guid = "" + $eids = @() + $channels = @("System") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "System", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # TaskScheduler Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-TaskScheduler/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "TaskScheduler Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # TerminalServices-LocalSessionManager Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-TerminalServices-LocalSessionManager/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "TerminalServices-LocalSessionManager Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # WMI-Activity Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-WMI-Activity/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "WMI-Activity Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Windows Defender Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Windows Defender/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Windows Defender Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + return $auditResult +} + +function GuideMSC { + param ( + [object[]] $all_rules + ) + + $auditResult = @() + # Application + $guid = "" + $eids = @() + $channels = @("Application") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Application", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Applocker + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-AppLocker/MSI and Script", "Microsoft-Windows-AppLocker/EXE and DLL", "Microsoft-Windows-AppLocker/Packaged app-Deployment", "Microsoft-Windows-AppLocker/Packaged app-Execution") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Applocker", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Bits-Client Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Bits-Client/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Bits-Client Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # CodeIntegrity Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-CodeIntegrity/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "CodeIntegrity Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Diagnosis-Scripted Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Diagnosis-Scripted/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Diagnosis-Scripted Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # DriverFrameworks-UserMode Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-DriverFrameworks-UserMode/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "DriverFrameworks-UserMode Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Firewall + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Windows Firewall With Advanced Security/Firewall") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Firewall", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # NTLM Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Diagnosis-Scripted/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Microsoft-Windows-NTLM/Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # PowerShell + ## Classic + $guid = "" + $eids = @("400") + $channels = @("pwsh") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Classic", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + ## Module + $guid = "" + $eids = @("4103") + $channels = @("pwsh") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Module", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ## ScriptBlock + $guid = "" + $eids = @("4104") + $channels = @("pwsh") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "ScriptBlock", + $enabled, + [array]$rules, + "Patially", + "", + "", + "" + ) + + # PrintService Admin + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-PrintService/Admin") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PrintService", + "PrintService Admin", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # PrintService Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-PrintService/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PrintService", + "PrintService Operational", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Security + ## Advanced + ### Account Logon + #### Credential Validation + $guid = "0CCE923F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Credential Validation", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "Success and Failure", + "", + "" + ) + + #### Kerberos Authentication Service + $guid = "0CCE9242-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Authentication Service", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + #### Kerberos Service Ticket Operations + $guid = "0CCE9240-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Service Ticket Operations", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + ### Account Management + #### Computer Account Management + $guid = "0CCE9236-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Computer Account Management", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "Success", + "", + "" + ) + + #### Other Account Management Events + $guid = "0CCE923A-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Other Account Management Events", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### Security Group Management + $guid = "0CCE9237-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Security Group Management", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### User Account Management + $guid = "0CCE9235-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "User Account Management", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + ### Detailed Tracking + #### Plug and Play Events + $guid = "0CCE9248-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Plug and Play Events", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Process Creation + $guid = "0CCE922B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Creation", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "Include command line in process creation events" + ) + + #### Process Termination + $guid = "0CCE922C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Termination", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### RPC Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "RPC Events", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Token Right Adjusted Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Token Right Adjusted Events", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### DS (Directory Service) Access + #### Directory Service Access + $guid = "0CCE923B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Access", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + #### Directory Service Changes + $guid = "0CCE923C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Changes", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### Logon/Logoff + #### Account Lockout + $guid = "0CCE9217-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Account Lockout", + $enabled, + [array]$rules, + "Success", + "Failure", + "", + "" + ) + + #### Group Membership + $guid = "0CCE9249-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### Logoff + $guid = "0CCE9216-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### Logon + $guid = "0CCE9215-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Logon", + $enabled, + [array]$rules, + "Client OS: Success | Server OS: Success and Failure", + "Success and Failure", + "", + "" + ) + + #### Other Logon/Logoff Events + $guid = "0CCE921C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Other Logon/Logoff Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Special Logon + $guid = "0CCE921B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Special Logon", + $enabled, + [array]$rules, + "Success", + "Success", + "", + "" + ) + + + ### Object Access + #### Certification Services + $guid = "0CCE9221-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Detailed File Share + $guid = "0CCE9244-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "Enabling this setting is not recommended due to the high noise level)" + ) + + #### File Share + $guid = "0CCE9224-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File Share", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### File System + $guid = "0CCE921D-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File System", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Connection + $guid = "0CCE9226-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Connection", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Packet Drop + $guid = "0CCE9225-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Packet Drop", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Kernel Object + $guid = "0CCE921F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Kernel Object", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Handle Manipulation + $guid = "0CCE9223-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Handle Manipulation", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Other Object Access Events + $guid = "0CCE9227-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Other Object Access Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Registry + $guid = "0CCE921E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Registry", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Removable Storage + $guid = "0CCE9245-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Removable Storage", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### SAM + $guid = "0CCE9220-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "SAM", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### Policy Change + #### Audit Policy Change + $guid = "0CCE922F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Audit Policy Change", + $enabled, + [array]$rules, + "Success", + "Success and Failure", + "", + "" + ) + + #### Authentication Policy Change + $guid = "0CCE9230-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authentication Policy Change", + $enabled, + [array]$rules, + "Success", + "Success", + "", + "" + ) + + #### Authorization Policy Change + $guid = "0CCE9231-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authorization Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Policy Change + $guid = "0CCE9233-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Filtering Platform Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### MPSSVC Rule-Level Policy Change + $guid = "0CCE9232-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "MPSSVC Rule-Level Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Other Policy Change Events + $guid = "0CCE9234-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Other Policy Change Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + ### Privilege Use + #### Non-Sensitive Privilege Use + $guid = "0CCE9229-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Non-Sensitive Privilege Use", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Sensitive Privilege Use + $guid = "0CCE9228-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Sensitive Privilege Use", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### System + #### Other System Events + $guid = "0CCE9214-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + [array]$rules, + "Success and Failure", + "", + "", + "" + ) + + #### Security State Change + $guid = "0CCE9210-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + [array]$rules, + "Success", + "Success and Failure", + "" + ) + + #### Security System Extension + $guid = "0CCE9211-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Security System Extension", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### System Integrity + $guid = "0CCE9212-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "System Integrity", + $enabled, + [array]$rules, + "Success and Failure", + "Success and Failure", + "", + "" + ) + + # Security-Mitigations KernelMode + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Security-Mitigations*") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Security-Mitigations KernelMode", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Security-Mitigations UserMode + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Security-Mitigations*") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Security-Mitigations UserMode", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # SMBClient Security + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-SmbClient/Security") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "SMBClient Security", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # System + $guid = "" + $eids = @() + $channels = @("System") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "System", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # TaskScheduler Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-TaskScheduler/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "TaskScheduler Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # TerminalServices-LocalSessionManager Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-TerminalServices-LocalSessionManager/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "TerminalServices-LocalSessionManager Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # WMI-Activity Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-WMI-Activity/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "WMI-Activity Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Windows Defender Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Windows Defender/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Windows Defender Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + return $auditResult +} + +function GuideMSS { + param ( + [object[]] $all_rules + ) + + $auditResult = @() + # Application + $guid = "" + $eids = @() + $channels = @("Application") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Application", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Applocker + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-AppLocker/MSI and Script", "Microsoft-Windows-AppLocker/EXE and DLL", "Microsoft-Windows-AppLocker/Packaged app-Deployment", "Microsoft-Windows-AppLocker/Packaged app-Execution") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Applocker", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Bits-Client Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Bits-Client/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Bits-Client Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # CodeIntegrity Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-CodeIntegrity/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "CodeIntegrity Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Diagnosis-Scripted Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Diagnosis-Scripted/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Diagnosis-Scripted Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # DriverFrameworks-UserMode Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-DriverFrameworks-UserMode/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "DriverFrameworks-UserMode Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Firewall + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Windows Firewall With Advanced Security/Firewall") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Firewall", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # NTLM Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Diagnosis-Scripted/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Microsoft-Windows-NTLM/Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # PowerShell + ## Classic + $guid = "" + $eids = @("400") + $channels = @("pwsh") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Classic", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + ## Module + $guid = "" + $eids = @("4103") + $channels = @("pwsh") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Module", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ## ScriptBlock + $guid = "" + $eids = @("4104") + $channels = @("pwsh") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "ScriptBlock", + $enabled, + [array]$rules, + "Patially", + "", + "", + "" + ) + + # PrintService Admin + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-PrintService/Admin") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PrintService", + "PrintService Admin", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # PrintService Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-PrintService/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PrintService", + "PrintService Operational", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Security + ## Advanced + ### Account Logon + #### Credential Validation + $guid = "0CCE923F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Credential Validation", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "Success and Failure", + "", + "" + ) + + #### Kerberos Authentication Service + $guid = "0CCE9242-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Authentication Service", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + #### Kerberos Service Ticket Operations + $guid = "0CCE9240-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Service Ticket Operations", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "", + "", + "" + ) + + ### Account Management + #### Computer Account Management + $guid = "0CCE9236-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Computer Account Management", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "Success and Failure", + "", + "" + ) + + #### Other Account Management Events + $guid = "0CCE923A-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Other Account Management Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Security Group Management + $guid = "0CCE9237-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Security Group Management", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### User Account Management + $guid = "0CCE9235-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "User Account Management", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + ### Detailed Tracking + #### Plug and Play Events + $guid = "0CCE9248-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Plug and Play Events", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Process Creation + $guid = "0CCE922B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Creation", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "Include command line in process creation events" + ) + + #### Process Termination + $guid = "0CCE922C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Termination", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### RPC Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "RPC Events", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Token Right Adjusted Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Token Right Adjusted Events", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### DS (Directory Service) Access + #### Directory Service Access + $guid = "0CCE923B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Access", + $enabled, + [array]$rules, + "Client OS: No Auditing | Server OS: Success", + "Success and Failure", + "", + "" + ) + + #### Directory Service Changes + $guid = "0CCE923C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Changes", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + ### Logon/Logoff + #### Account Lockout + $guid = "0CCE9217-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Account Lockout", + $enabled, + [array]$rules, + "Success", + "Failure", + "", + "" + ) + + #### Group Membership + $guid = "0CCE9249-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### Logoff + $guid = "0CCE9216-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + [array]$rules, + "No Auditing", + "Success", + "", + "" + ) + + #### Logon + $guid = "0CCE9215-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Logon", + $enabled, + [array]$rules, + "Client OS: Success | Server OS: Success and Failure", + "Success and Failure", + "", + "" + ) + + #### Other Logon/Logoff Events + $guid = "0CCE921C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Other Logon/Logoff Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Special Logon + $guid = "0CCE921B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Special Logon", + $enabled, + [array]$rules, + "Success", + "Success", + "", + "" + ) + + + ### Object Access + #### Certification Services + $guid = "0CCE9221-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Detailed File Share + $guid = "0CCE9244-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "Enabling this setting is not recommended due to the high noise level)" + ) + + #### File Share + $guid = "0CCE9224-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File Share", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### File System + $guid = "0CCE921D-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File System", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Connection + $guid = "0CCE9226-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Connection", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Packet Drop + $guid = "0CCE9225-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Packet Drop", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Kernel Object + $guid = "0CCE921F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Kernel Object", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Handle Manipulation + $guid = "0CCE9223-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Handle Manipulation", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Other Object Access Events + $guid = "0CCE9227-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Other Object Access Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Registry + $guid = "0CCE921E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Registry", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### Removable Storage + $guid = "0CCE9245-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Removable Storage", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### SAM + $guid = "0CCE9220-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "SAM", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### Policy Change + #### Audit Policy Change + $guid = "0CCE922F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Audit Policy Change", + $enabled, + [array]$rules, + "Success", + "Success and Failure", + "", + "" + ) + + #### Authentication Policy Change + $guid = "0CCE9230-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authentication Policy Change", + $enabled, + [array]$rules, + "Success", + "Success", + "", + "" + ) + + #### Authorization Policy Change + $guid = "0CCE9231-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authorization Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Filtering Platform Policy Change + $guid = "0CCE9233-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Filtering Platform Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### MPSSVC Rule-Level Policy Change + $guid = "0CCE9232-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "MPSSVC Rule-Level Policy Change", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Other Policy Change Events + $guid = "0CCE9234-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Other Policy Change Events", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + ### Privilege Use + #### Non-Sensitive Privilege Use + $guid = "0CCE9229-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Non-Sensitive Privilege Use", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + #### Sensitive Privilege Use + $guid = "0CCE9228-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Sensitive Privilege Use", + $enabled, + [array]$rules, + "No Auditing", + "", + "", + "" + ) + + ### System + #### Other System Events + $guid = "0CCE9214-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + [array]$rules, + "Success and Failure", + "", + "", + "" + ) + + #### Security State Change + $guid = "0CCE9210-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + [array]$rules, + "Success", + "Success and Failure", + "" + ) + + #### Security System Extension + $guid = "0CCE9211-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Security System Extension", + $enabled, + [array]$rules, + "No Auditing", + "Success and Failure", + "", + "" + ) + + #### System Integrity + $guid = "0CCE9212-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "System Integrity", + $enabled, + [array]$rules, + "Success and Failure", + "Success and Failure", + "", + "" + ) + + # Security-Mitigations KernelMode + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Security-Mitigations*") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Security-Mitigations KernelMode", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Security-Mitigations UserMode + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Security-Mitigations*") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Security-Mitigations UserMode", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # SMBClient Security + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-SmbClient/Security") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "SMBClient Security", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # System + $guid = "" + $eids = @() + $channels = @("System") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "System", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # TaskScheduler Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-TaskScheduler/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "TaskScheduler Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # TerminalServices-LocalSessionManager Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-TerminalServices-LocalSessionManager/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "TerminalServices-LocalSessionManager Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # WMI-Activity Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-WMI-Activity/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "WMI-Activity Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + + # Windows Defender Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Windows Defender/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Windows Defender Operational", + "", + $enabled, + [array]$rules, + "Enabled", + "", + "", + "" + ) + return $auditResult +} + + + +function AuditLogSetting { + param ( + [string] $outType, + [string] $guide, + [bool] $debug + ) + + $autidpolTxt = "./auditpol.txt" + if (-not $debug) { + Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt + } + $enabledguid = [System.Collections.Generic.HashSet[string]]::new() + Get-Content -Path $autidpolTxt | Select-String -NotMatch "No Auditing" | ForEach-Object { + if ($_ -match '{(.*?)}') { + [void]$enabledguid.Add($matches[1]) + } + } + $all_rules = Get-Content -Path "config/security_rules.json" -Raw | ConvertFrom-Json + $all_rules | ForEach-Object { + $_ | Add-Member -MemberType NoteProperty -Name "applicable" -Value $false + } + $auditResult = @() + + if ($guide.ToLower() -eq "yamatosecurity") { + $auditResult = GuideYamatoSecurity $all_rules + } elseif ($guide.ToLower() -eq "asd") { + $auditResult = GuideASD $all_rules + } elseif ($guide.ToLower() -eq "microsoft_client") { + $auditResult = GuideMSC $all_rules + } elseif ($guide.ToLower() -eq "microsoft_server") { + $auditResult = GuideMSS $all_rules + } $auditResult | ForEach-Object { $_.SetApplicable($enabledguid) @@ -1555,36 +5004,25 @@ $logo = @" $help = @" Usage: - ./WELA.ps1 audit-settings # Audit current setting and show in stdout, save to csv - ./WELA.ps1 audit-settings gui # Audit current setting and show in gui, save to csv - ./WELA.ps1 audit-settings table # Audit current setting and show in table layout, save to csv - ./WELA.ps1 audit-filesize # Audit current file size and show in stdout, save to csv - ./WELA.ps1 update-rules # Update rule config files from https://github.com/Yamato-Security/WELA + ./WELA.ps1 -Cmd audit-settings -Guide YamatoSecurity # Audit current setting and show in stdout, save to csv + ./WELA.ps1 -Cmd audit-settings -Guide ASD -OutType gui # Audit current setting and show in gui, save to csv + ./WELA.ps1 -Cmd audit-filesize -Guide YamatoSecurity # Audit current file size and show in stdout, save to csv + ./WELA.ps1 -Cmd update-rules # Update rule config files from https://github.com/Yamato-Security/WELA ./WELA.ps1 help # Show this help "@ + [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 Write-Host $logo -ForegroundColor Green -if ($args.Count -eq 0) { - Write-Host $help - exit 1 -} - -$command = $args[0].ToLower() - -switch ($command) { +switch ($Cmd.ToLower()) { "audit-settings" { - $outType = "std" - $debug = $false - if ($args.Count -eq 2) { - $outType = $args[1].ToLower() + $validGuides = @("YamatoSecurity", "ASD", "Microsoft_Client", "Microsoft_Server") + if (-not ($validGuides -contains $Guide.ToLower())) { + Write-Host "Invalid Guide specified. Valid options are: YamatoSecurity, ASD, Microsoft_Client, Microsoft_Server." + break } - if ($args.Count -eq 3) { - $outType = $args[1].ToLower() - $debug = $args[2].ToLower() -eq "debug" - } - AuditLogSetting $outType $debug + AuditLogSetting $OutType $Guide $Debug } "audit-filesize" { AuditFileSize @@ -1593,11 +5031,11 @@ switch ($command) { "update-rules" { UpdateRules } - "help" { Write-Host $help } default { + Write-Host "Invalid command. Use 'help' to see available commands." Write-Host $help } } \ No newline at end of file