CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 09:12:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: refactor and add output option

Browse Source
This commit is contained in:
fukusuket
2025-04-13 21:31:43 +09:00
parent e99a843ba7
commit d4e8b4cea4
3 changed files with 1076 additions and 670 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1148
WELA.ps1
View File

File diff suppressed because it is too large Load Diff

223
WELAFunctions.psm1
View File

@@ -1,223 +0,0 @@
<#
.SYNOPSIS
Checks if a registry value matches the expected value.
.DESCRIPTION
This function retrieves a registry value and compares it to the expected value.
.PARAMETER registryPath
The path to the registry key.
.PARAMETER valueName
The name of the registry value.
.PARAMETER expectedValue
The expected value to compare against.
.RETURNS
[bool] $true if the registry value matches the expected value, otherwise $false.
#>
function CheckRegistryValue {
param (
[string]$registryPath,
[string]$valueName,
[int]$expectedValue
)
try {
$value = Get-ItemProperty -Path $registryPath -Name $valueName -ErrorAction Stop
if ($value.$valueName -eq $expectedValue) {
return $true
} else {
return $false
}
} catch {
return $false
}
}
<#
.SYNOPSIS
Sets the applicable rules based on the provided audit policy text and JSON rule path.
.DESCRIPTION
This function reads the audit policy text file and extracts GUIDs. It then checks the registry values for PowerShell logging settings and updates the applicability of rules in the JSON file based on these settings and the extracted GUIDs.
.PARAMETER autidpolTxt
The path to the audit policy text file.
.PARAMETER jsonRulePath
The path to the JSON rule file.
.RETURNS
The updated JSON content with the applicability of rules set.
.EXAMPLE
Set-Applicable -autidpolTxt "C:\path\to\auditpol.txt" -jsonRulePath "C:\path\to\rules.json"
#>
function Set-Applicable {
param (
[string]$autidpolTxt,
[string]$jsonRulePath
)
$extractedGuids = [System.Collections.Generic.HashSet[string]]::new()
Get-Content -Path $autidpolTxt | Select-String -NotMatch "No Auditing" | ForEach-Object {
if ($_ -match '{(.*?)}') {
[void]$extractedGuids.Add($matches[1])
}
}
$pwshModuleLogging = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1
$pwshScriptLogging = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1
$jsonContent = Get-Content -Path $jsonRulePath -Raw | ConvertFrom-Json
foreach ($rule in $jsonContent) {
$rule | Add-Member -MemberType NoteProperty -Name "applicable" -Value $false
if ($rule.channel -eq "pwsh") {
if ($rule.event_ids -contains "400" -or $rule.event_ids -contains "600" -or $rule.event_ids.Count -eq 0) {
$rule.applicable = $true
} elseif ($rule.event_ids -contains "4103") {
$rule.applicable = $pwshModuleLogging
} elseif ($rule.event_ids -contains "4104") {
$rule.applicable = $pwshScriptLogging
}
continue
}
foreach ($guid in $rule.subcategory_guids) {
if ($extractedGuids.Contains($guid)) {
$rule.applicable = $true
break
}
}
}
return $jsonContent
}
<#
.SYNOPSIS
Groups the rules by their level and counts the number of rules in each level.
.PARAMETER rules
The collection of rules to be grouped and counted.
.RETURNS
A hashtable with the count of rules for each level.
#>
function Get-RuleCounts {
param ($rules)
$levels = @("critical", "high", "medium", "low", "informational")
$counts = @{}
$rules | Group-Object -Property level | ForEach-Object {
$counts[$_.Name] = $_.Count
}
foreach ($level in $levels) {
if (-not $counts.ContainsKey($level)) {
$counts[$level] = 0
}
}
return $counts.GetEnumerator() | ForEach-Object {
[PSCustomObject]@{
Level = $_.Key
Count = $_.Value
}
}
}
<#
.SYNOPSIS
Calculates the usable rate of rules based on their counts and total counts.
.PARAMETER counts
The counts of usable rules for each level.
.PARAMETER totalCounts
The total counts of rules for each level.
.RETURNS
A collection of objects representing the usable rate for each level.
#>
function CalculateUsableRate {
param ($counts, $totalCounts)
$result = @()
$totalCounts | ForEach-Object {
$level = $_.Level
$total = $_.Count
$usableCount = ($counts | Where-Object Level -eq $level | Select-Object -ExpandProperty Count -First 1)
if ($null -eq $usableCount) { $usableCount = 0 }
$percentage = if ($total -ne 0) { "{0:N2}" -f ($usableCount / $total * 100) } else { "0.00" }
$result += [PSCustomObject]@{
Level = $level
UsableCount = $usableCount
TotalCount = $total
Percentage = $percentage
}
}
return $result
}
<#
.SYNOPSIS
Calculates the total usable rate of rules.
.PARAMETER usableRate
The collection of objects representing the usable rate for each level.
.RETURNS
A string representing the total usable rate as a percentage.
#>
function CalculateTotalUsableRate {
param ($usableRate)
$totalUsable = ($usableRate | Measure-Object -Property UsableCount -Sum).Sum
$totalRulesCount = ($usableRate | Measure-Object -Property TotalCount -Sum).Sum
return "{0:N2}%" -f ($totalUsable / $totalRulesCount * 100)
}
<#
.SYNOPSIS
Displays the counts of rules by their level with color-coded output.
.PARAMETER usableRate
The collection of objects representing the usable rate for each level.
.PARAMETER msg
The message to display before the counts.
.PARAMETER colorMsg
The message to display with color coding.
#>
function ShowRulesCountsByLevel {
param ($usableRate, $msg, $colorMsg)
Write-Host -NoNewline $msg
$color = if ($colorMsg -match "Disabled") { "Red" } elseif ($colorMsg -match "Partially") { "Yellow" } else { "Green" }
Write-Host "$colorMsg" -ForegroundColor $color
$levelColorMap = [ordered]@{
"critical" = "Red"
"high" = "DarkYellow"
"medium" = "Yellow"
"low" = "Green"
"informational" = "White" # Assuming a default color for informational
}
$i = 0
Write-Host -NoNewline " - "
$usableRate | Sort-Object { $levelColorMap.Keys.IndexOf($_.Level) } | ForEach-Object {
$color = $levelColorMap[$_.Level]
$level = if ($_.Level -match "informational") { "info" } else { $_.Level }
Write-Host -NoNewline "$($level): $($_.UsableCount)/$($_.TotalCount) ($($_.Percentage)%)" -ForegroundColor $color
if ($i -lt $usableRate.Count - 1)
{
Write-Host -NoNewline ", "
}
$i++
}
Write-Output ""
Write-Output ""
}
<#
.SYNOPSIS
Checks if the current user is an administrator.
.DESCRIPTION
This function determines if the current user has administrative privileges.
.RETURNS
[bool] $true if the current user is an administrator, otherwise $false.
#>
function Test-IsAdministrator {
$currentUser = [Security.Principal.WindowsIdentity]::GetCurrent()
$adminRole = [Security.Principal.WindowsBuiltInRole]::Administrator
return (New-Object Security.Principal.WindowsPrincipal($currentUser)).IsInRole($adminRole)
}

375
WELAVerboseSecAudit.psm1
View File

@@ -1,375 +0,0 @@
function CountRules {
param (
[string]$guid,
[array]$rules
)
$filterd_rules = $rules | Where-Object { $_.subcategory_guids -contains $guid }
if ($filterd_rules.Count -eq 0) {
return "no rules"
}
$counts = @{
critical = 0
high = 0
medium = 0
low = 0
informational = 0
}
foreach ($rule in $filterd_rules) {
if ($counts.ContainsKey($rule.level)) {
$counts[$rule.level]++
}
}
$status = if ($filterd_rules[0].applicable) { "enabled" } else { "disabled" }
$result = "$status (critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))"
return $result
}
function ColorPrint {
param (
[string]$line,
[string]$category,
[array]$sub_categories
)
if ($line.Trim() -eq $category.Trim()) {
$allEnabled = $true
$allDisabled = $true
foreach ($sub_category in $sub_categories) {
if ($sub_category -notmatch 'enabled') {
$allEnabled = $false
}
if ($sub_category -notmatch 'disabled') {
$allDisabled = $false
}
}
if ($allEnabled) {
Write-Host $category -ForegroundColor Green
} elseif ($allDisabled) {
Write-Host $category -ForegroundColor Red
} else {
Write-Host $category -ForegroundColor DarkYellow
}
}
}
function ShowVerboseSecurity {
param (
[array]$rules
)
$m_credential_validation = CountRules -guid "0CCE923F-69AE-11D9-BED3-505054503030" -rules $rules
$m_kerberos_authentication_service = CountRules -guid "0CCE9242-69AE-11D9-BED3-505054503030" -rules $rules
$m_kerberos_sevice_ticket_operations = CountRules -guid "0CCE9240-69AE-11D9-BED3-505054503030" -rules $rules
$m_computer_account_management = CountRules -guid "0CCE9236-69AE-11D9-BED3-505054503030" -rules $rules
$m_other_account_management = CountRules -guid "0CCE923A-69AE-11D9-BED3-505054503030" -rules $rules
$m_security_group_management = CountRules -guid "0CCE9237-69AE-11D9-BED3-505054503030" -rules $rules
$m_user_account_management = CountRules -guid "0CCE9235-69AE-11D9-BED3-505054503030" -rules $rules
$m_plug_and_play_events = CountRules -guid "0CCE9248-69AE-11D9-BED3-505054503030" -rules $rules
$m_process_creation = CountRules -guid "0CCE922B-69AE-11D9-BED3-505054503030" -rules $rules
$m_process_termination = CountRules -guid "0CCE922C-69AE-11D9-BED3-505054503030" -rules $rules
$m_rpc_events = CountRules -guid "0CCE922E-69AE-11D9-BED3-505054503030" -rules $rules
$m_token_right_adjusted_events = CountRules -guid "0CCE924A-69AE-11D9-BED3-505054503030" -rules $rules
$m_directory_service_access = CountRules -guid "0CCE923B-69AE-11D9-BED3-505054503030" -rules $rules
$m_directory_service_changes = CountRules -guid "0CCE923C-69AE-11D9-BED3-505054503030" -rules $rules
$m_account_lockout = CountRules -guid "0CCE9217-69AE-11D9-BED3-505054503030" -rules $rules
$m_group_membership = CountRules -guid "0CCE9249-69AE-11D9-BED3-505054503030" -rules $rules
$m_logoff = CountRules -guid "0CCE9216-69AE-11D9-BED3-505054503030" -rules $rules
$m_logon = CountRules -guid "0CCE9215-69AE-11D9-BED3-505054503030" -rules $rules
$m_other_logon_logoff_events = CountRules -guid "0CCE921C-69AE-11D9-BED3-505054503030" -rules $rules
$m_special_logon = CountRules -guid "0CCE921B-69AE-11D9-BED3-505054503030" -rules $rules
$m_certification_services = CountRules -guid "0CCE9221-69AE-11D9-BED3-505054503030" -rules $rules
$m_detailed_file_share = CountRules -guid "0CCE9244-69AE-11D9-BED3-505054503030" -rules $rules
$m_file_share = CountRules -guid "0CCE9224-69AE-11D9-BED3-505054503030" -rules $rules
$m_file_system = CountRules -guid "0CCE921D-69AE-11D9-BED3-505054503030" -rules $rules
$m_filtering_platform_connection = CountRules -guid "0CCE9226-69AE-11D9-BED3-505054503030" -rules $rules
$m_filtering_platform_packet_drop = CountRules -guid "0CCE9225-69AE-11D9-BED3-505054503030" -rules $rules
$m_kernel_object = CountRules -guid "0CCE921F-69AE-11D9-BED3-505054503030" -rules $rules
$m_handle_manipulation = CountRules -guid "0CCE9223-69AE-11D9-BED3-505054503030" -rules $rules
$m_other_object_access_events = CountRules -guid "0CCE9227-69AE-11D9-BED3-505054503030" -rules $rules
$m_registry = CountRules -guid "0CCE921E-69AE-11D9-BED3-505054503030" -rules $rules
$m_removable_storage = CountRules -guid "0CCE9245-69AE-11D9-BED3-505054503030" -rules $rules
$m_sam = CountRules -guid "0CCE9220-69AE-11D9-BED3-505054503030" -rules $rules
$m_audit_policy_change = CountRules -guid "0CCE922F-69AE-11D9-BED3-505054503030" -rules $rules
$m_authentication_policy_change = CountRules -guid "0CCE9230-69AE-11D9-BED3-505054503030" -rules $rules
$m_authorization_policy_change = CountRules -guid "0CCE9231-69AE-11D9-BED3-505054503030" -rules $rules
$m_filtering_platform_policy_change = CountRules -guid "0CCE9233-69AE-11D9-BED3-505054503030" -rules $rules
$m_mpssvc_rule_level_policy_change = CountRules -guid "0CCE9232-69AE-11D9-BED3-505054503030" -rules $rules
$m_other_policy_change_events = CountRules -guid "0CCE9234-69AE-11D9-BED3-505054503030" -rules $rules
$m_non_sensitive_use_events = CountRules -guid "0CCE9229-69AE-11D9-BED3-505054503030" -rules $rules
$m_sensitive_privilege_use = CountRules -guid "0CCE9228-69AE-11D9-BED3-505054503030" -rules $rules
$m_other_system_events = CountRules -guid "0CCE9214-69AE-11D9-BED3-505054503030" -rules $rules
$m_security_state_change = CountRules -guid "0CCE9210-69AE-11D9-BED3-505054503030" -rules $rules
$m_security_system_extension = CountRules -guid "0CCE9211-69AE-11D9-BED3-505054503030" -rules $rules
$m_system_integrity = CountRules -guid "0CCE9212-69AE-11D9-BED3-505054503030" -rules $rules
$msg = @"
Detailed Security category settings:
Account Logon
- Credential Validation: $m_credential_validation
- Volume: Depends on NTLM usage. Could be high on DCs and low on clients and servers.
- Default settings: Client OS: No Auditing | Server OS: Success
- Recommended settings: Client and Server OSes: Success and Failure
- Kerberos Authentication Service: $m_kerberos_authentication_service
- Volume: High
- Default settings: Client OS: No Auditing | Server OS: Success
- Recommended settings: Client OS: No Auditing | Server OS: Success and Failure
- Kerberos Service Ticket Operations: $m_kerberos_sevice_ticket_operations
- Volume: High
- Default settings: Client OS: No Auditing | Server OS: Success
- Recommended settings: Domain Controllers: Success and Failure
Account Management
- Computer Account Management: $m_computer_account_management
- Volume: Low
- Default settings: Client OS: No Auditing | Server OS: Success Only
- Recommended settings: Domain Controllers: Success and Failure
- Other Account Management Events: $m_other_account_management
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Security Group Management: $m_security_group_management
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- User Account Management: $m_user_account_management
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
Detailed Tracking
- Plug and Play Events: $m_plug_and_play_events
- Volume: Typcially low
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Process Creation: $m_process_creation
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure if sysmon is not configured.
- Process Termination: $m_process_termination
- Volume: High
- Default settings: No Auditing
- Recommended settings: No Auditing unless you want to track the lifespan of processes.
- RPC (Remote Procedure Call) Events: $m_rpc_events
- Volume: High on RPC servers (According to Microsoft)
- Default settings: No Auditing
- Recommended settings: Unknown. Needs testing.
- Token Right Adjusted Events: $m_token_right_adjusted_events
- Volume: Unknown
- Default settings: No Auditing
- Recommended settings: Unknown. Needs testing.
DS (Directory Service) Access
- Directory Service Access: $m_directory_service_access
- Volume: High
- Default settings: Client OS: No Auditing | Server OS: Success
- Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure
- Directory Service Changes: $m_directory_service_changes
- Volume: High
- Default settings: No Auditing
- Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure
Logon/Logoff
- Account Lockout: $m_account_lockout
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- Group Membership: $m_group_membership
- Volume: Adds an extra 4627 event to every logon.
- Default settings: No Auditing
- Recommended settings: No Auditing
- Logoff: $m_logoff
- Volume: High
- Default settings: Success
- Recommended settings: Success
- Logon: $m_logon
- Volume: Low on clients, medium on DCs or network servers
- Default settings: Client OS: Success | Server OS: Success and Failure
- Recommended settings: Success and Failure
- Other Logon/Logoff Events: $m_other_logon_logoff_events
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Special Logon: $m_special_logon
- Volume: Low on clients. Medium on DC or network servers.
- Default settings: Success
- Recommended settings: Success and Failure
Object Access
- Certification Services: $m_certification_services
- Volume: Low to medium
- Default settings: No Auditing
- Recommended settings: Success and Failure for AD CS role servers.
- Detailed File Share: $m_detailed_file_share
- Volume: Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement.
- Default settings: No Auditing
- Recommended settings: No Auditing due to the high noise level. Enable if you can though.
- File Share: $m_file_share
- Volume: High for file servers and DCs.
- Default settings: No Auditing
- Recommended settings: Success and Failure
- File System: $m_file_system
- Volume: Depends on SACL rules
- Default settings: No Auditing
- Recommended settings: Enable SACLs just for sensitive files
- Filtering Platform Connection: $m_filtering_platform_connection
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though.
- Filtering Platform Packet Drop: $m_filtering_platform_packet_drop
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though.
- Kernel Object: $m_kernel_object
- Volume: High if auditing access of global object access is enabled
- Default settings: No Auditing
- Recommended settings: Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events.
- Handle Manipulation: $m_handle_manipulation
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Other Object Access Events: $m_other_object_access_events
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Registry: $m_registry
- Volume: Depends on SACLs
- Default settings: No Auditing
- Recommended settings: Set SACLs for only the registry keys that you want to monitor
- Removable Storage: $m_removable_storage
- Volume: Depends on how much removable storage is used
- Default settings: No Auditing
- Recommended settings: Success and Failure if you want to monitor external device usage.
- SAM: $m_sam
- Volume: High volume of events on Domain Controllers
- Default settings: No Auditing
- Recommended settings: Success and Failure if you can but may cause too high volume of noise so should be tested beforehand.
Policy Change
- Audit Policy Change: $m_audit_policy_change
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- Authentication Policy Change: $m_authentication_policy_change
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- Authorization Policy Change: $m_authorization_policy_change
- Volume: Medium to High
- Default settings: No Auditing
- Recommended settings: Unknown. Needs testing.
- Filtering Platform Policy Change: $m_filtering_platform_policy_change
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Unknown, Needs testing.
- MPSSVC Rule-Level Policy Change: $m_mpssvc_rule_level_policy_change
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Unknown. Needs testing.
- Other Policy Change Events: $m_other_policy_change_events
- Volume: Low
- Default settings: No Auditing
- Recommended settings: No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.)
Privilege Use
- Non Sensitive Use Events: $m_non_sensitive_use_events
- Volume: Very high
- Default settings: No Auditing
- Recommended settings: No Auditing
- Sensitive Privilege Use: $m_sensitive_privilege_use
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure However, this may be too noisy.
System
- Other System Events: $m_other_system_events
- Volume: Low
- Default settings: Success and Failure
- Recommended settings: Unknown. Needs testing.
- Security State Change: $m_security_state_change
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- Security System Extension: $m_security_system_extension
- Volume: Low, but more on DCs
- Default settings: No Auditing
- Recommended settings: Success and Failure
- System Integrity: $m_system_integrity
- Volume: Low
- Default settings: Sucess, Failure
- Recommended settings: Success and Failure
"@
$msgLines = $msg -split "`n"
foreach ($line in $msgLines) {
ColorPrint -line $line -category "Account Logon" -sub_categories @(
$m_credential_validation,
$m_kerberos_authentication_service,
$m_kerberos_sevice_ticket_operations
)
ColorPrint -line $line -category "Account Management" -sub_categories @(
$m_computer_account_management,
$m_other_account_management,
$m_security_group_management,
$m_user_account_management
)
ColorPrint -line $line -category "Detailed Tracking" -sub_categories @(
$m_plug_and_play_events,
$m_process_creation,
$m_process_termination,
$m_rpc_events,
$m_token_right_adjusted_events
)
ColorPrint -line $line -category "DS (Directory Service) Access" -sub_categories @(
$m_directory_service_access,
$m_directory_service_changes
)
ColorPrint -line $line -category "Logon/Logoff" -sub_categories @(
$m_account_lockout,
$m_group_membership,
$m_logoff,
$m_logon,
$m_other_logon_logoff_events,
$m_special_logon
)
ColorPrint -line $line -category "Object Access" -sub_categories @(
$m_certification_services,
$m_detailed_file_share,
$m_file_share,
$m_file_system,
$m_filtering_platform_connection,
$m_filtering_platform_packet_drop,
$m_kernel_object,
$m_handle_manipulation,
$m_other_object_access_events,
$m_registry,
$m_removable_storage,
$m_sam
)
ColorPrint -line $line -category "Policy Change" -sub_categories @(
$m_audit_policy_change,
$m_authentication_policy_change,
$m_authorization_policy_change,
$m_filtering_platform_policy_change,
$m_mpssvc_rule_level_policy_change,
$m_other_policy_change_events
)
ColorPrint -line $line -category "Privilege Use" -sub_categories @(
$m_non_sensitive_use_events,
$m_sensitive_privilege_use
)
ColorPrint -line $line -category "System" -sub_categories @(
$m_other_system_events,
$m_security_state_change,
$m_security_system_extension,
$m_system_integrity
)
if ($line -match '.*disabled.*\(') {
Write-Host $line -ForegroundColor Red
} elseif ($line -match '.*enabled.*\(') {
Write-Host $line -ForegroundColor Green
} elseif ($line -match '.*no rules.*') {
Write-Host $line -ForegroundColor DarkYellow
} else {
if ($line -notmatch "Account Logon" -and $line -notmatch "Account Management" -and $line -notmatch "Detailed Tracking" -and $line -notmatch "DS \(Directory Service\) Access" -and $line -notmatch "Logon/Logoff" -and $line -notmatch "Object Access" -and $line -notmatch "Policy Change" -and $line -notmatch "Privilege Use" -and $line -notmatch "System") {
Write-Host $line
}
}
}
Write-Host ""
}