From d4e8b4cea44bf4537b7236d60c430d1acf2e049c Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 13 Apr 2025 21:31:43 +0900 Subject: [PATCH] feat: refactor and add output option --- WELA.ps1 | 1148 +++++++++++++++++++++++++++++++++++--- WELAFunctions.psm1 | 223 -------- WELAVerboseSecAudit.psm1 | 375 ------------- 3 files changed, 1076 insertions(+), 670 deletions(-) delete mode 100644 WELAFunctions.psm1 delete mode 100644 WELAVerboseSecAudit.psm1 diff --git a/WELA.ps1 b/WELA.ps1 index 38b2544a..6966635a 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1,5 +1,1052 @@ -Import-Module -Name ./WELAFunctions.psm1 -Import-Module -Name ./WELAVerboseSecAudit.psm1 +class WELA { + static [array] $Levels = @('critical', 'high', 'medium', 'low', 'informational') + [string] $Category + [string] $SubCategory + [bool] $Enabled + [array] $Rules + [hashtable] $RulesCount + [string] $DefaultSetting = "" + [string] $RecommendedSetting = "" + [string] $Volume = "" + [string] $Note = "" + + WELA([string] $Category, [string] $SubCategory, [bool] $Enabled, [array] $Rules) { + $this.Category = $Category + $this.SubCategory = $SubCategory + $this.Enabled = $Enabled + $this.Rules = $Rules + $this.RulesCount = @{'critical' = 0; 'high' = 0; 'medium' = 0; 'low' = 0; 'informational' = 0} + } + + + WELA([string] $Category, [string] $SubCategory, [bool] $Enabled, [array] $Rules, [string] $DefaultSetting, [string] $RecommendedSetting, [string] $Volume, [string] $Note) { + $this.Category = $Category + $this.SubCategory = $SubCategory + $this.Enabled = $Enabled + $this.Rules = $Rules + $this.DefaultSetting = $DefaultSetting + $this.RecommendedSetting = $RecommendedSetting + $this.Volume = $Volume + $this.Note = $Note + $this.RulesCount = @{'critical' = 0; 'high' = 0; 'medium' = 0; 'low' = 0; 'informational' = 0} + } + + [void] SetApplicable([array] $Enabledguid) { + if ($this.Enabled) { + foreach ($rule in $this.Rules) { + $rule.applicable = $true + } + return + } + foreach ($rule in $this.Rules) { + $rule.applicable = $false + foreach ($guid in $rule.subcategory_guid) { + if ($Enabledguid -contains $guid) { + $rule.applicable = $true + break + } + } + } + } + + [void] CountByLevel() { + $this.RulesCount = @{} + foreach ($level in [WELA]::Levels) { + $this.RulesCount[$level] = ($this.Rules | Where-Object { $_.level -eq $level }).Count + } + } + + [void] Output([string] $Format) { + switch ($Format.ToLower()) { + "std" { + $color = if ($this.Enabled) { "Green" } else { "Red" } + $logEnabled = if ($this.Enabled) { "Enabled" } else { "Disabled" } + $ruleCounts = "" + $allZero = $this.RulesCount.Values | Where-Object { $_ -ne 0 } | Measure-Object | Select-Object -ExpandProperty Count + if ($allZero -eq 0) { + $ruleCounts = "no rules" + $color = "DarkYellow" + } else { + $ruleCounts = "$($logEnabled) (" + foreach ($level in [WELA]::Levels) { + $count = $this.RulesCount[$level] + if ($level -eq "informational") { + $ruleCounts += "info:$count" + } else { + $ruleCounts += "$($level):$count, " + } + } + $ruleCounts += ")" + } + if ($this.SubCategory) { + Write-Host " -$($this.SubCategory): $ruleCounts" -ForegroundColor $color + } + if ($this.DefaultSetting) { + Write-Host " -Default Setting: $($this.DefaultSetting)" + } + if ($this.RecommendedSetting) { + Write-Host " -Recommended Setting: $($this.RecommendedSetting)" + } + if ($this.Volume) { + Write-Host " -Volume: $($this.Volume)" + } + if ($this.Note) { + Write-Host " -Note: $($this.Note)" + } + + } + default { + Write-Error "Invalid output format specified." + } + } + } +} + +function ApplyRules { + param ( + [bool] $enabled, + [array] $rules, + [string] $guid + ) + $rules = $rules | Where-Object { $_.subcategory_guids -contains $guid } + if ($rules.Count -eq 0) { + $rules = @() + } else { + $rules | ForEach-Object { $_.applicable = $enabled } + } + return ,@($rules) # 暗黙の型変換でPSCustomObjectに変換されてしまうため、型を明示 +} + + +function RuleFilter { + [OutputType([bool])] + param ( + [pscustomobject] $rule, + [array] $category_eids, + [array] $category_channels, + [string] $category_guid + ) + $result = $false + if ($category_channels.Count -gt 0) { + if ($category_channels -contains $rule.channel) { + $result = $true + } else { + $result = $false + } + } + if ($category_eids.Count -gt 0) { + foreach ($eid in $rule.event_ids) { + if ($category_eids -contains $eid) { + $result = $true + break + } + $result = $false + } + } + if ($category_guid) { + foreach ($guid in $rule.subcategory_guid) { + if ($category_guid -eq $guid) { + $result = $true + break + } + $result = $false + } + } + return $result +} + +function AuditLogSetting { + param ( + [string] $outType + ) + $autidpolTxt = "./auditpol.txt" + Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt + $enabledguid = [System.Collections.Generic.HashSet[string]]::new() + Get-Content -Path $autidpolTxt | Select-String -NotMatch "No Auditing" | ForEach-Object { + if ($_ -match '{(.*?)}') { + [void]$enabledguid.Add($matches[1]) + } + } + $all_rules = Get-Content -Path "config/security_rules.json" -Raw | ConvertFrom-Json + $all_rules | ForEach-Object { + $_ | Add-Member -MemberType NoteProperty -Name "applicable" -Value $false + } + $auditResult = @() + + # PowerShell + ## Classic + $guid = "" + $eids = @("400") + $channels = @("pwsh") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Classic", + $enabled, + $rules + ) + + ## Module + $guid = "" + $eids = @("4103") + $channels = @("pwsh") + $enabled = $false + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Module", + $enabled, + $rules + ) + + ## ScriptBlock + $guid = "" + $eids = @("4104") + $channels = @("pwsh") + $enabled = $false + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "ScriptBlock", + $enabled, + $rules + ) + + # Security + ## Advanced + ### Account Logon + #### Credential Validation + $guid = "0CCE923F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Credential Validation", + $enabled, + $rules, + "Client OS: No Auditing | Server OS: Success", + "Client and Server OSes: Success and Failure", + "Depends on NTLM usage. Could be high on DCs and low on clients and servers.", + "" + ) + + #### Kerberos Authentication Service + $guid = "0CCE9242-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Authentication Service", + $enabled, + $rules, + "Client OS: No Auditing | Server OS: Success", + "Client OS: No Auditing | Server OS: Success and Failure", + "High", + "" + ) + + #### Kerberos Service Ticket Operations + $guid = "0CCE9240-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Service Ticket Operations", + $enabled, + $rules, + "Client OS: No Auditing | Server OS: Success", + "Domain Controllers: Success and Failure", + "High", + "" + ) + + ### Account Management + #### Computer Account Management + $guid = "0CCE9236-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Computer Account Management", + $enabled, + $rules, + "Client OS: No Auditing | Server OS: Success", + "Domain Controllers: Success and Failure", + "High", + "" + ) + + #### Other Account Management Events + $guid = "0CCE923A-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Other Account Management Events", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "Low", + "" + ) + + #### Security Group Management + $guid = "0CCE9237-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Security Group Management", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "Low", + "" + ) + + #### User Account Management + $guid = "0CCE9235-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "User Account Management", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "Low", + "" + ) + + ### Detailed Tracking + #### Plug and Play Events + $guid = "0CCE9248-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Plug and Play Events", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "Low", + "" + ) + + #### Process Creation + $guid = "0CCE9248-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Creation", + $enabled, + $rules, + "No Auditing", + "Success and Failure if sysmon is not configured", + "High", + "" + ) + + #### Process Termination + $guid = "0CCE922B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Termination", + $enabled, + $rules, + "No Auditing", + "No Auditing unless you want to track the lifespan of processes", + "High", + "" + ) + + #### RPC Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "RPC Events", + $enabled, + $rules, + "No Auditing", + "Unknown. Needs testing", + "High on RPC servers (According to Microsoft)", + "" + ) + + #### Token Right Adjusted Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Token Right Adjusted Events", + $enabled, + $rules, + "No Auditing", + "Unknown. Needs testing", + "Unknown", + "" + ) + + ### DS (Directory Service) Access + #### Directory Service Access + $guid = "0CCE923B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Access", + $enabled, + $rules, + "Client OS: No Auditing | Server OS: Success", + "Client OS: No Auditing | ADDS Server: Success and Failure", + "High", + "" + ) + + #### Directory Service Changes + $guid = "0CCE923C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Changes", + $enabled, + $rules, + "No Auditing", + "Client OS: No Auditing | ADDS Server: Success and Failure", + "High", + "" + ) + + ### Logon/Logoff + #### Account Lockout + $guid = "0CCE9217-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Account Lockout", + $enabled, + $rules, + "Success", + "Success and Failure", + "Low", + "" + ) + + #### Group Membership + $guid = "0CCE9249-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + $rules, + "No Auditing", + "No Auditing", + "Adds an extra 4627 event to every logon", + "" + ) + + #### Logoff + $guid = "0CCE9216-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + $rules, + "No Auditing", + "No Auditing", + "Adds an extra 4627 event to every logon", + "" + ) + + #### Logon + $guid = "0CCE9215-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Logon", + $enabled, + $rules, + "Client OS: Success | Server OS: Success and Failure", + "Success and Failure", + "Low on clients, medium on DCs or network servers", + "" + ) + + #### Other Logon/Logoff Events + $guid = "0CCE921C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Other Logon/Logoff Events", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "Low", + "" + ) + + #### Special Logon + $guid = "0CCE921B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Special Logon", + $enabled, + $rules, + "Success", + "Success and Failure", + "Low on clients. Medium on DC or network servers", + "" + ) + + + ### Object Access + #### Certification Services + $guid = "0CCE9221-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + $rules, + "No Auditing", + "Success and Failure for AD CS role servers", + "Low to medium", + "" + ) + + #### Detailed File Share + $guid = "0CCE9244-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + $rules, + "No Auditing", + "No Auditing due to the high noise level. Enable if you can though", + "Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement", + "" + ) + + #### File Share + $guid = "0CCE9224-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File Share", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "High for file servers and DCs", + "" + ) + + #### File System + $guid = "0CCE921D-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File System", + $enabled, + $rules, + "No Auditing", + "Enable SACLs just for sensitive files", + "Depends on SACL rules", + "" + ) + + #### Filtering Platform Connection + $guid = "0CCE9226-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Connection", + $enabled, + $rules, + "No Auditing", + "Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though", + "High", + "" + ) + + #### Filtering Platform Packet Drop + $guid = "0CCE9225-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Packet Drop", + $enabled, + $rules, + "No Auditing", + "Success and Failure for AD CS role servers", + "High", + "" + ) + + #### Kernel Object + $guid = "0CCE921F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Kernel Object", + $enabled, + $rules, + "No Auditing", + "Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events", + "High if auditing access of global object access is enabled", + "" + ) + + #### Handle Manipulation + $guid = "0CCE9223-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Handle Manipulation", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "High", + "" + ) + + #### Other Object Access Events + $guid = "0CCE9227-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Other Object Access Events", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "Low", + "" + ) + + #### Registry + $guid = "0CCE921E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Registry", + $enabled, + $rules, + "No Auditing", + "Set SACLs for only the registry keys that you want to monitor", + "Depends on SACLs", + "" + ) + + #### Removable Storage + $guid = "0CCE9245-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Removable Storage", + $enabled, + $rules, + "No Auditing", + "Success and Failure if you want to monitor external device usage", + "Depends on how much removable storage is used", + "" + ) + + #### SAM + $guid = "0CCE9220-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "SAM", + $enabled, + $rules, + "No Auditing", + "Success and Failure for AD CS role servers", + "Success and Failure if you can but may cause too high volume of noise so should be tested beforehand", + "" + ) + + ### Policy Change + #### Audit Policy Change + $guid = "0CCE922F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Audit Policy Change", + $enabled, + $rules, + "Success", + "Success and Failure", + "Low", + "" + ) + + #### Authentication Policy Change + $guid = "0CCE9230-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authentication Policy Change", + $enabled, + $rules, + "Success", + "Success and Failure", + "Low", + "" + ) + + #### Authorization Policy Change + $guid = "0CCE9231-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authorization Policy Change", + $enabled, + $rules, + "No Auditing", + "Unknown. Needs testing", + "Medium to High", + "" + ) + + #### Filtering Platform Policy Change + $guid = "0CCE9233-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Filtering Platform Policy Change", + $enabled, + $rules, + "No Auditing", + "Unknown, Needs testing", + "Low", + "" + ) + + #### MPSSVC Rule-Level Policy Change + $guid = "0CCE9232-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "MPSSVC Rule-Level Policy Change", + $enabled, + $rules, + "No Auditing", + "Unknown, Needs testing", + "Low", + "" + ) + + #### Other Policy Change Events + $guid = "0CCE9234-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Other Policy Change Events", + $enabled, + $rules, + "No Auditing", + "No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.)", + "Low", + "" + ) + + ### Privilege Use + #### Non-Sensitive Privilege Use + $guid = "0CCE9229-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Non-Sensitive Privilege Use", + $enabled, + $rules, + "No Auditing", + "No Auditing", + "Very high", + "" + ) + + #### Sensitive Privilege Use + $guid = "0CCE9228-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Sensitive Privilege Use", + $enabled, + $rules, + "No Auditing", + "Success and Failure However, this may be too noisy", + "High", + "" + ) + + ### System + #### Other System Events + $guid = "0CCE9214-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + $rules, + "Success and Failure", + "Unknown. Needs testing", + "Low", + "" + ) + + #### Security State Change + $guid = "0CCE9210-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + $rules, + "Success", + "Success and Failure", + "Low", + "" + ) + + #### Security System Extension + $guid = "0CCE9211-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Security System Extension", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "Low, but more on DCs", + "" + ) + + #### System Integrity + $guid = "0CCE9212-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "System Integrity", + $enabled, + $rules, + "Success and Failure", + "Success and Failure", + "Low", + "" + ) + + + $auditResult | ForEach-Object { + $_.SetApplicable($enabledguid) + $_.CountByLevel() + } + if ($outType -eq "std") { + $auditResult | Group-Object -Property Category | ForEach-Object { + $enabledCount = ($_.Group | Where-Object { $_.Enabled -eq $false }).Count -eq 0 + $disabledCount = ($_.Group | Where-Object { $_.Enabled -eq $true }).Count -eq 0 + $out = "" + $color = "" + if ($enabledCount) + { + $out = "Enabled" + $color = "Green" + } + elseif ($disabledCount) + { + $out = "Disabled" + $color = "Red" + } + else + { + $out = "Partially Enabled" + $color = "DarkYellow" + } + Write-Host "$( $_.Name ): $out" -ForegroundColor $color + $_.Group | ForEach-Object { + $_.Output($outType) + } + Write-Host "" + } + $auditResult | ForEach-Object { + $_ | Add-Member -MemberType NoteProperty -Name TotalRules -Value 0 + $_.TotalRules = ($_.Rules | Measure-Object).Count + $_ | Add-Member -MemberType NoteProperty -Name TotalRuleByLevel -Value "" + $_.TotalRuleByLevel = ($_.RulesCount.GetEnumerator() | ForEach-Object { "$($_.Key):$($_.Value)" }) -join ", " + } + $auditResult | Select-Object -Property Category, SubCategory, TotalRules, TotalRuleByLevel, Enabled, DefaultSetting, RecommendedSetting, Volume, Note | Export-Csv -Path "WELA-Audit-Result.csv" -NoTypeInformation + Write-Output "Audit check result saved to: WELA-Audit-Result.csv.csv" + } elseif ($outType -eq "gui") { + $auditResult | ForEach-Object { + $_ | Add-Member -MemberType NoteProperty -Name TotalRules -Value 0 + $_.TotalRules = ($_.Rules | Measure-Object).Count + $_ | Add-Member -MemberType NoteProperty -Name TotalRuleByLevel -Value "" + $_.TotalRuleByLevel = ($_.RulesCount.GetEnumerator() | ForEach-Object { "$($_.Key):$($_.Value)" }) -join ", " + } + $auditResult | Select-Object -Property Category, SubCategory, TotalRules, TotalRuleByLevel, Enabled, DefaultSetting, RecommendedSetting, Volume, Note | Out-GridView -Title "WELA Audit Result" + } + $usableRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.applicable -eq $true } + $unUsableRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.applicable -eq $false } + $usableules | Select-Object title, level, id | Export-Csv -Path "UsableRules.csv" -NoTypeInformation + $unusableRules | Select-Object title, level, id | Export-Csv -Path "UnusableRules.csv" -NoTypeInformation + Write-Output "Usable detection rules list saved to: UsableRules.csv" + Write-Output "Unusable detection rules list saved to: UnusableRules.csv" + + $totalRulesCount = $auditResult | Select-Object -ExpandProperty Rules | Measure-Object | Select-Object -ExpandProperty Count + $usableRulesCount = $usableRules | Measure-Object | Select-Object -ExpandProperty Count + $utilizationPercentage = "{0:N2}" -f (($usableRulesCount / $totalRulesCount) * 100) + $color = "Red" + if ($utilizationPercentage -ge 10 -and $utilizationPercentage -lt 70) { + $color = "DarkYellow" + } elseif ($utilizationPercentage -ge 70) { + $color = "Green" + } + Write-Host "" + Write-Host "You can utilize $utilizationPercentage% of your detection rules." -ForegroundColor $color + Write-Host "" +} + + $logo = @" ┏┓┏┓┏┳━━━┳┓ ┏━━━┓ ┃┃┃┃┃┃┏━━┫┃ ┃┏━┓┃ @@ -11,78 +1058,35 @@ $logo = @" "@ -# Set the console encoding to UTF-8 +$help = @" +Usage: + ./WELA.ps1 audit # Audit current setting and show in stdout, save to csv + ./WELA.ps1 audit gui # Audit current setting and show in gui + ./WELA.ps1 help # Show this help +"@ + [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 - -# Step 1: Run the auditpol command using cmd.exe and redirect its output to a file -$autidpolTxt = "auditpol_output.txt" -Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt - Write-Host $logo -ForegroundColor Green -# Step 3: Set the applicable flag for each rule -$rules = Set-Applicable -autidpolTxt $autidpolTxt -jsonRulePath "./config/security_rules.json" +if ($args.Count -eq 0) { + Write-Host $help + exit 1 +} -$allSecRules = $rules | Where-Object { $_.channel -eq "sec" } -$allPwsRules = $rules | Where-Object { $_.channel -eq "pwsh" } -$allPwsClaRules = $rules | Where-Object { $_.channel -eq "pwsh" -and ($_.event_ids -contains "400" -or $_.event_ids -contains "600" -or $_.event_ids.Count -eq 0) } -$allPwsModRules = $rules | Where-Object { $_.channel -eq "pwsh" -and $_.event_ids -contains "4103" } -$allPwsScrRules = $rules | Where-Object { $_.channel -eq "pwsh" -and $_.event_ids -contains "4104" } +$command = $args[0].ToLower() -$usableSecRules = $rules | Where-Object { $_.applicable -eq $true -and $_.channel -eq "sec" } -$usablePwsRules = $rules | Where-Object { $_.applicable -eq $true -and $_.channel -eq "pwsh" } -$usablePwsClaRules = $rules | Where-Object { $_.applicable -eq $true -and $_.channel -eq "pwsh" -and ($_.event_ids -contains "400" -or $_.event_ids -contains "600" -or $_.event_ids.Count -eq 0) } -$usablePwsModRules = $rules | Where-Object { $_.applicable -eq $true -and $_.channel -eq "pwsh" -and $_.event_ids -contains "4103" } -$usablePwsScrRules = $rules | Where-Object { $_.applicable -eq $true -and $_.channel -eq "pwsh" -and $_.event_ids -contains "4104" } - -# Step 4: Count the number of usable and unusable rules for each level -$totalCounts = Get-RuleCounts -rules $rules -$totalSecCounts = Get-RuleCounts -rules $allSecRules -$totalPwsCounts = Get-RuleCounts -rules $allPwsRules -$totalPwsClaCounts = Get-RuleCounts -rules $allPwsClaRules -$totalPwsModCounts = Get-RuleCounts -rules $allPwsModRules -$totalPwsScrCounts = Get-RuleCounts -rules $allPwsScrRules - -$usableSecCounts = Get-RuleCounts -rules $usableSecRules -$usablePwsCounts = Get-RuleCounts -rules $usablePwsRules -$usablePwsClaCounts = Get-RuleCounts -rules $usablePwsClaRules -$usablePwsModCounts = Get-RuleCounts -rules $usablePwsModRules -$usablePwsScrCounts = Get-RuleCounts -rules $usablePwsScrRules - -# Step 5: Calculate the usable rate for each level -$usableSecRate = CalculateUsableRate -counts $usableSecCounts -totalCounts $totalSecCounts -$usablePwsRate = CalculateUsableRate -counts $usablePwsCounts -totalCounts $totalPwsCounts -$usablePwsClaRate = CalculateUsableRate -counts $usablePwsClaCounts -totalCounts $totalPwsClaCounts -$usablePwsModRate = CalculateUsableRate -counts $usablePwsModCounts -totalCounts $totalPwsModCounts -$usablePwsScrRate = CalculateUsableRate -counts $usablePwsScrCounts -totalCounts $totalPwsScrCounts - -# Step 6: Show the number of usable and unusable rules for each level -$pwsModEnabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 -$pwsScrEnabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 -$pwsModStatus = if ($pwsModEnabled) { "Enabled" } else { "Disabled" } -$pwsSrcStatus = if ($pwsScrEnabled) { "Enabled" } else { "Disabled" } - -# Step 7: Calculate the total usable rate -$totalUsableSecRate = CalculateTotalUsableRate -usableRate $usableSecRate -$totalUsablePwsClaRate = CalculateTotalUsableRate -usableRate $usablePwsClaRate -$totalUsablePwsModRate = CalculateTotalUsableRate -usableRate $usablePwsModRate -$totalUsablePwsScrRate = CalculateTotalUsableRate -usableRate $usablePwsScrRate - -ShowRulesCountsByLevel -usableRate $usablePwsClaRate -msg "PowerShell classic logging detection rules: " -colorMsg "$totalUsablePwsClaRate (Enabled)" -ShowRulesCountsByLevel -usableRate $usablePwsModRate -msg "PowerShell module logging detection rules: " -colorMsg "$totalUsablePwsModRate ($pwsModStatus)" -ShowRulesCountsByLevel -usableRate $usablePwsScrRate -msg "PowerShell script block logging detection rules: " -colorMsg "$totalUsablePwsScrRate ($pwsSrcStatus)" -ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)" -ShowVerboseSecurity -rules $rules - -Write-Output "Usable detection rules list saved to: UsableRules.csv" -Write-Output "Unusable detection rules list saved to: UnusableRules.csv" -Write-Output "" -$totalUsable = ($usableSecRate + $usablePwsRate | Measure-Object -Property UsableCount -Sum).Sum -$totalRulesCount = ($totalCounts | Measure-Object -Property Count -Sum).Sum -$utilizationPercentage = "{0:N2}" -f (($totalUsable / $totalRulesCount) * 100) -Write-Output "You can utilize $utilizationPercentage% of your detection rules." - -# Step 8: Save the lists of usable and unusable rules to CSV files -$unusableRules = $rules | Where-Object { $_.applicable -eq $false } -$usableSecRules | Select-Object title, level, id | Export-Csv -Path "UsableRules.csv" -NoTypeInformation -$unusableRules | Select-Object title, level, id | Export-Csv -Path "UnusableRules.csv" -NoTypeInformation +switch ($command) { + "audit" { + $outType = "std" + if ($args.Count -eq 2) { + $outType = $args[1].ToLower() + } + AuditLogSetting $outType + } + "help" { + Write-Host $help + } + default { + Write-Host $help + } +} \ No newline at end of file diff --git a/WELAFunctions.psm1 b/WELAFunctions.psm1 deleted file mode 100644 index 64e2bcbe..00000000 --- a/WELAFunctions.psm1 +++ /dev/null @@ -1,223 +0,0 @@ -<# -.SYNOPSIS - Checks if a registry value matches the expected value. -.DESCRIPTION - This function retrieves a registry value and compares it to the expected value. -.PARAMETER registryPath - The path to the registry key. -.PARAMETER valueName - The name of the registry value. -.PARAMETER expectedValue - The expected value to compare against. -.RETURNS - [bool] $true if the registry value matches the expected value, otherwise $false. -#> -function CheckRegistryValue { - param ( - [string]$registryPath, - [string]$valueName, - [int]$expectedValue - ) - - try { - $value = Get-ItemProperty -Path $registryPath -Name $valueName -ErrorAction Stop - if ($value.$valueName -eq $expectedValue) { - return $true - } else { - return $false - } - } catch { - return $false - } -} - - -<# -.SYNOPSIS - Sets the applicable rules based on the provided audit policy text and JSON rule path. - -.DESCRIPTION - This function reads the audit policy text file and extracts GUIDs. It then checks the registry values for PowerShell logging settings and updates the applicability of rules in the JSON file based on these settings and the extracted GUIDs. - -.PARAMETER autidpolTxt - The path to the audit policy text file. - -.PARAMETER jsonRulePath - The path to the JSON rule file. - -.RETURNS - The updated JSON content with the applicability of rules set. - -.EXAMPLE - Set-Applicable -autidpolTxt "C:\path\to\auditpol.txt" -jsonRulePath "C:\path\to\rules.json" -#> -function Set-Applicable { - param ( - [string]$autidpolTxt, - [string]$jsonRulePath - ) - - $extractedGuids = [System.Collections.Generic.HashSet[string]]::new() - Get-Content -Path $autidpolTxt | Select-String -NotMatch "No Auditing" | ForEach-Object { - if ($_ -match '{(.*?)}') { - [void]$extractedGuids.Add($matches[1]) - } - } - - $pwshModuleLogging = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 - $pwshScriptLogging = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 - - $jsonContent = Get-Content -Path $jsonRulePath -Raw | ConvertFrom-Json - foreach ($rule in $jsonContent) { - $rule | Add-Member -MemberType NoteProperty -Name "applicable" -Value $false - if ($rule.channel -eq "pwsh") { - if ($rule.event_ids -contains "400" -or $rule.event_ids -contains "600" -or $rule.event_ids.Count -eq 0) { - $rule.applicable = $true - } elseif ($rule.event_ids -contains "4103") { - $rule.applicable = $pwshModuleLogging - } elseif ($rule.event_ids -contains "4104") { - $rule.applicable = $pwshScriptLogging - } - continue - } - foreach ($guid in $rule.subcategory_guids) { - if ($extractedGuids.Contains($guid)) { - $rule.applicable = $true - break - } - } - } - return $jsonContent -} - - -<# -.SYNOPSIS - Groups the rules by their level and counts the number of rules in each level. -.PARAMETER rules - The collection of rules to be grouped and counted. -.RETURNS - A hashtable with the count of rules for each level. -#> -function Get-RuleCounts { - param ($rules) - $levels = @("critical", "high", "medium", "low", "informational") - $counts = @{} - - $rules | Group-Object -Property level | ForEach-Object { - $counts[$_.Name] = $_.Count - } - - foreach ($level in $levels) { - if (-not $counts.ContainsKey($level)) { - $counts[$level] = 0 - } - } - - return $counts.GetEnumerator() | ForEach-Object { - [PSCustomObject]@{ - Level = $_.Key - Count = $_.Value - } - } -} - -<# -.SYNOPSIS - Calculates the usable rate of rules based on their counts and total counts. -.PARAMETER counts - The counts of usable rules for each level. -.PARAMETER totalCounts - The total counts of rules for each level. -.RETURNS - A collection of objects representing the usable rate for each level. -#> -function CalculateUsableRate { - param ($counts, $totalCounts) - $result = @() - $totalCounts | ForEach-Object { - $level = $_.Level - $total = $_.Count - $usableCount = ($counts | Where-Object Level -eq $level | Select-Object -ExpandProperty Count -First 1) - if ($null -eq $usableCount) { $usableCount = 0 } - $percentage = if ($total -ne 0) { "{0:N2}" -f ($usableCount / $total * 100) } else { "0.00" } - $result += [PSCustomObject]@{ - Level = $level - UsableCount = $usableCount - TotalCount = $total - Percentage = $percentage - } - } - return $result -} - - -<# -.SYNOPSIS - Calculates the total usable rate of rules. -.PARAMETER usableRate - The collection of objects representing the usable rate for each level. -.RETURNS - A string representing the total usable rate as a percentage. -#> -function CalculateTotalUsableRate { - param ($usableRate) - $totalUsable = ($usableRate | Measure-Object -Property UsableCount -Sum).Sum - $totalRulesCount = ($usableRate | Measure-Object -Property TotalCount -Sum).Sum - return "{0:N2}%" -f ($totalUsable / $totalRulesCount * 100) -} - - -<# -.SYNOPSIS - Displays the counts of rules by their level with color-coded output. -.PARAMETER usableRate - The collection of objects representing the usable rate for each level. -.PARAMETER msg - The message to display before the counts. -.PARAMETER colorMsg - The message to display with color coding. -#> -function ShowRulesCountsByLevel { - param ($usableRate, $msg, $colorMsg) - Write-Host -NoNewline $msg - $color = if ($colorMsg -match "Disabled") { "Red" } elseif ($colorMsg -match "Partially") { "Yellow" } else { "Green" } - Write-Host "$colorMsg" -ForegroundColor $color - $levelColorMap = [ordered]@{ - "critical" = "Red" - "high" = "DarkYellow" - "medium" = "Yellow" - "low" = "Green" - "informational" = "White" # Assuming a default color for informational - } - $i = 0 - Write-Host -NoNewline " - " - $usableRate | Sort-Object { $levelColorMap.Keys.IndexOf($_.Level) } | ForEach-Object { - $color = $levelColorMap[$_.Level] - $level = if ($_.Level -match "informational") { "info" } else { $_.Level } - Write-Host -NoNewline "$($level): $($_.UsableCount)/$($_.TotalCount) ($($_.Percentage)%)" -ForegroundColor $color - if ($i -lt $usableRate.Count - 1) - { - Write-Host -NoNewline ", " - } - $i++ - } - Write-Output "" - Write-Output "" -} - -<# -.SYNOPSIS - Checks if the current user is an administrator. -.DESCRIPTION - This function determines if the current user has administrative privileges. -.RETURNS - [bool] $true if the current user is an administrator, otherwise $false. -#> -function Test-IsAdministrator { - $currentUser = [Security.Principal.WindowsIdentity]::GetCurrent() - $adminRole = [Security.Principal.WindowsBuiltInRole]::Administrator - return (New-Object Security.Principal.WindowsPrincipal($currentUser)).IsInRole($adminRole) -} - - diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 deleted file mode 100644 index 5a712a4f..00000000 --- a/WELAVerboseSecAudit.psm1 +++ /dev/null @@ -1,375 +0,0 @@ -function CountRules { - param ( - [string]$guid, - [array]$rules - ) - $filterd_rules = $rules | Where-Object { $_.subcategory_guids -contains $guid } - - if ($filterd_rules.Count -eq 0) { - return "no rules" - } - $counts = @{ - critical = 0 - high = 0 - medium = 0 - low = 0 - informational = 0 - } - - foreach ($rule in $filterd_rules) { - if ($counts.ContainsKey($rule.level)) { - $counts[$rule.level]++ - } - } - $status = if ($filterd_rules[0].applicable) { "enabled" } else { "disabled" } - $result = "$status (critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))" - return $result -} - -function ColorPrint { - param ( - [string]$line, - [string]$category, - [array]$sub_categories - ) - - if ($line.Trim() -eq $category.Trim()) { - $allEnabled = $true - $allDisabled = $true - - foreach ($sub_category in $sub_categories) { - if ($sub_category -notmatch 'enabled') { - $allEnabled = $false - } - if ($sub_category -notmatch 'disabled') { - $allDisabled = $false - } - } - - if ($allEnabled) { - Write-Host $category -ForegroundColor Green - } elseif ($allDisabled) { - Write-Host $category -ForegroundColor Red - } else { - Write-Host $category -ForegroundColor DarkYellow - } - } -} - -function ShowVerboseSecurity { - param ( - [array]$rules - ) - - $m_credential_validation = CountRules -guid "0CCE923F-69AE-11D9-BED3-505054503030" -rules $rules - $m_kerberos_authentication_service = CountRules -guid "0CCE9242-69AE-11D9-BED3-505054503030" -rules $rules - $m_kerberos_sevice_ticket_operations = CountRules -guid "0CCE9240-69AE-11D9-BED3-505054503030" -rules $rules - $m_computer_account_management = CountRules -guid "0CCE9236-69AE-11D9-BED3-505054503030" -rules $rules - $m_other_account_management = CountRules -guid "0CCE923A-69AE-11D9-BED3-505054503030" -rules $rules - $m_security_group_management = CountRules -guid "0CCE9237-69AE-11D9-BED3-505054503030" -rules $rules - $m_user_account_management = CountRules -guid "0CCE9235-69AE-11D9-BED3-505054503030" -rules $rules - $m_plug_and_play_events = CountRules -guid "0CCE9248-69AE-11D9-BED3-505054503030" -rules $rules - $m_process_creation = CountRules -guid "0CCE922B-69AE-11D9-BED3-505054503030" -rules $rules - $m_process_termination = CountRules -guid "0CCE922C-69AE-11D9-BED3-505054503030" -rules $rules - $m_rpc_events = CountRules -guid "0CCE922E-69AE-11D9-BED3-505054503030" -rules $rules - $m_token_right_adjusted_events = CountRules -guid "0CCE924A-69AE-11D9-BED3-505054503030" -rules $rules - $m_directory_service_access = CountRules -guid "0CCE923B-69AE-11D9-BED3-505054503030" -rules $rules - $m_directory_service_changes = CountRules -guid "0CCE923C-69AE-11D9-BED3-505054503030" -rules $rules - $m_account_lockout = CountRules -guid "0CCE9217-69AE-11D9-BED3-505054503030" -rules $rules - $m_group_membership = CountRules -guid "0CCE9249-69AE-11D9-BED3-505054503030" -rules $rules - $m_logoff = CountRules -guid "0CCE9216-69AE-11D9-BED3-505054503030" -rules $rules - $m_logon = CountRules -guid "0CCE9215-69AE-11D9-BED3-505054503030" -rules $rules - $m_other_logon_logoff_events = CountRules -guid "0CCE921C-69AE-11D9-BED3-505054503030" -rules $rules - $m_special_logon = CountRules -guid "0CCE921B-69AE-11D9-BED3-505054503030" -rules $rules - $m_certification_services = CountRules -guid "0CCE9221-69AE-11D9-BED3-505054503030" -rules $rules - $m_detailed_file_share = CountRules -guid "0CCE9244-69AE-11D9-BED3-505054503030" -rules $rules - $m_file_share = CountRules -guid "0CCE9224-69AE-11D9-BED3-505054503030" -rules $rules - $m_file_system = CountRules -guid "0CCE921D-69AE-11D9-BED3-505054503030" -rules $rules - $m_filtering_platform_connection = CountRules -guid "0CCE9226-69AE-11D9-BED3-505054503030" -rules $rules - $m_filtering_platform_packet_drop = CountRules -guid "0CCE9225-69AE-11D9-BED3-505054503030" -rules $rules - $m_kernel_object = CountRules -guid "0CCE921F-69AE-11D9-BED3-505054503030" -rules $rules - $m_handle_manipulation = CountRules -guid "0CCE9223-69AE-11D9-BED3-505054503030" -rules $rules - $m_other_object_access_events = CountRules -guid "0CCE9227-69AE-11D9-BED3-505054503030" -rules $rules - $m_registry = CountRules -guid "0CCE921E-69AE-11D9-BED3-505054503030" -rules $rules - $m_removable_storage = CountRules -guid "0CCE9245-69AE-11D9-BED3-505054503030" -rules $rules - $m_sam = CountRules -guid "0CCE9220-69AE-11D9-BED3-505054503030" -rules $rules - $m_audit_policy_change = CountRules -guid "0CCE922F-69AE-11D9-BED3-505054503030" -rules $rules - $m_authentication_policy_change = CountRules -guid "0CCE9230-69AE-11D9-BED3-505054503030" -rules $rules - $m_authorization_policy_change = CountRules -guid "0CCE9231-69AE-11D9-BED3-505054503030" -rules $rules - $m_filtering_platform_policy_change = CountRules -guid "0CCE9233-69AE-11D9-BED3-505054503030" -rules $rules - $m_mpssvc_rule_level_policy_change = CountRules -guid "0CCE9232-69AE-11D9-BED3-505054503030" -rules $rules - $m_other_policy_change_events = CountRules -guid "0CCE9234-69AE-11D9-BED3-505054503030" -rules $rules - $m_non_sensitive_use_events = CountRules -guid "0CCE9229-69AE-11D9-BED3-505054503030" -rules $rules - $m_sensitive_privilege_use = CountRules -guid "0CCE9228-69AE-11D9-BED3-505054503030" -rules $rules - $m_other_system_events = CountRules -guid "0CCE9214-69AE-11D9-BED3-505054503030" -rules $rules - $m_security_state_change = CountRules -guid "0CCE9210-69AE-11D9-BED3-505054503030" -rules $rules - $m_security_system_extension = CountRules -guid "0CCE9211-69AE-11D9-BED3-505054503030" -rules $rules - $m_system_integrity = CountRules -guid "0CCE9212-69AE-11D9-BED3-505054503030" -rules $rules - - $msg = @" -Detailed Security category settings: -Account Logon - - Credential Validation: $m_credential_validation - - Volume: Depends on NTLM usage. Could be high on DCs and low on clients and servers. - - Default settings: Client OS: No Auditing | Server OS: Success - - Recommended settings: Client and Server OSes: Success and Failure - - Kerberos Authentication Service: $m_kerberos_authentication_service - - Volume: High - - Default settings: Client OS: No Auditing | Server OS: Success - - Recommended settings: Client OS: No Auditing | Server OS: Success and Failure - - Kerberos Service Ticket Operations: $m_kerberos_sevice_ticket_operations - - Volume: High - - Default settings: Client OS: No Auditing | Server OS: Success - - Recommended settings: Domain Controllers: Success and Failure -Account Management - - Computer Account Management: $m_computer_account_management - - Volume: Low - - Default settings: Client OS: No Auditing | Server OS: Success Only - - Recommended settings: Domain Controllers: Success and Failure - - Other Account Management Events: $m_other_account_management - - Volume: Low - - Default settings: No Auditing - - Recommended settings: Success and Failure - - Security Group Management: $m_security_group_management - - Volume: Low - - Default settings: Success - - Recommended settings: Success and Failure - - User Account Management: $m_user_account_management - - Volume: Low - - Default settings: Success - - Recommended settings: Success and Failure -Detailed Tracking - - Plug and Play Events: $m_plug_and_play_events - - Volume: Typcially low - - Default settings: No Auditing - - Recommended settings: Success and Failure - - Process Creation: $m_process_creation - - Volume: High - - Default settings: No Auditing - - Recommended settings: Success and Failure if sysmon is not configured. - - Process Termination: $m_process_termination - - Volume: High - - Default settings: No Auditing - - Recommended settings: No Auditing unless you want to track the lifespan of processes. - - RPC (Remote Procedure Call) Events: $m_rpc_events - - Volume: High on RPC servers (According to Microsoft) - - Default settings: No Auditing - - Recommended settings: Unknown. Needs testing. - - Token Right Adjusted Events: $m_token_right_adjusted_events - - Volume: Unknown - - Default settings: No Auditing - - Recommended settings: Unknown. Needs testing. -DS (Directory Service) Access - - Directory Service Access: $m_directory_service_access - - Volume: High - - Default settings: Client OS: No Auditing | Server OS: Success - - Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure - - Directory Service Changes: $m_directory_service_changes - - Volume: High - - Default settings: No Auditing - - Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure -Logon/Logoff - - Account Lockout: $m_account_lockout - - Volume: Low - - Default settings: Success - - Recommended settings: Success and Failure - - Group Membership: $m_group_membership - - Volume: Adds an extra 4627 event to every logon. - - Default settings: No Auditing - - Recommended settings: No Auditing - - Logoff: $m_logoff - - Volume: High - - Default settings: Success - - Recommended settings: Success - - Logon: $m_logon - - Volume: Low on clients, medium on DCs or network servers - - Default settings: Client OS: Success | Server OS: Success and Failure - - Recommended settings: Success and Failure - - Other Logon/Logoff Events: $m_other_logon_logoff_events - - Volume: Low - - Default settings: No Auditing - - Recommended settings: Success and Failure - - Special Logon: $m_special_logon - - Volume: Low on clients. Medium on DC or network servers. - - Default settings: Success - - Recommended settings: Success and Failure -Object Access - - Certification Services: $m_certification_services - - Volume: Low to medium - - Default settings: No Auditing - - Recommended settings: Success and Failure for AD CS role servers. - - Detailed File Share: $m_detailed_file_share - - Volume: Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement. - - Default settings: No Auditing - - Recommended settings: No Auditing due to the high noise level. Enable if you can though. - - File Share: $m_file_share - - Volume: High for file servers and DCs. - - Default settings: No Auditing - - Recommended settings: Success and Failure - - File System: $m_file_system - - Volume: Depends on SACL rules - - Default settings: No Auditing - - Recommended settings: Enable SACLs just for sensitive files - - Filtering Platform Connection: $m_filtering_platform_connection - - Volume: High - - Default settings: No Auditing - - Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. - - Filtering Platform Packet Drop: $m_filtering_platform_packet_drop - - Volume: High - - Default settings: No Auditing - - Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. - - Kernel Object: $m_kernel_object - - Volume: High if auditing access of global object access is enabled - - Default settings: No Auditing - - Recommended settings: Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events. - - Handle Manipulation: $m_handle_manipulation - - Volume: High - - Default settings: No Auditing - - Recommended settings: Success and Failure - - Other Object Access Events: $m_other_object_access_events - - Volume: Low - - Default settings: No Auditing - - Recommended settings: Success and Failure - - Registry: $m_registry - - Volume: Depends on SACLs - - Default settings: No Auditing - - Recommended settings: Set SACLs for only the registry keys that you want to monitor - - Removable Storage: $m_removable_storage - - Volume: Depends on how much removable storage is used - - Default settings: No Auditing - - Recommended settings: Success and Failure if you want to monitor external device usage. - - SAM: $m_sam - - Volume: High volume of events on Domain Controllers - - Default settings: No Auditing - - Recommended settings: Success and Failure if you can but may cause too high volume of noise so should be tested beforehand. -Policy Change - - Audit Policy Change: $m_audit_policy_change - - Volume: Low - - Default settings: Success - - Recommended settings: Success and Failure - - Authentication Policy Change: $m_authentication_policy_change - - Volume: Low - - Default settings: Success - - Recommended settings: Success and Failure - - Authorization Policy Change: $m_authorization_policy_change - - Volume: Medium to High - - Default settings: No Auditing - - Recommended settings: Unknown. Needs testing. - - Filtering Platform Policy Change: $m_filtering_platform_policy_change - - Volume: Low - - Default settings: No Auditing - - Recommended settings: Unknown, Needs testing. - - MPSSVC Rule-Level Policy Change: $m_mpssvc_rule_level_policy_change - - Volume: Low - - Default settings: No Auditing - - Recommended settings: Unknown. Needs testing. - - Other Policy Change Events: $m_other_policy_change_events - - Volume: Low - - Default settings: No Auditing - - Recommended settings: No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.) -Privilege Use - - Non Sensitive Use Events: $m_non_sensitive_use_events - - Volume: Very high - - Default settings: No Auditing - - Recommended settings: No Auditing - - Sensitive Privilege Use: $m_sensitive_privilege_use - - Volume: High - - Default settings: No Auditing - - Recommended settings: Success and Failure However, this may be too noisy. -System - - Other System Events: $m_other_system_events - - Volume: Low - - Default settings: Success and Failure - - Recommended settings: Unknown. Needs testing. - - Security State Change: $m_security_state_change - - Volume: Low - - Default settings: Success - - Recommended settings: Success and Failure - - Security System Extension: $m_security_system_extension - - Volume: Low, but more on DCs - - Default settings: No Auditing - - Recommended settings: Success and Failure - - System Integrity: $m_system_integrity - - Volume: Low - - Default settings: Sucess, Failure - - Recommended settings: Success and Failure -"@ - - $msgLines = $msg -split "`n" - foreach ($line in $msgLines) { - ColorPrint -line $line -category "Account Logon" -sub_categories @( - $m_credential_validation, - $m_kerberos_authentication_service, - $m_kerberos_sevice_ticket_operations - ) - ColorPrint -line $line -category "Account Management" -sub_categories @( - $m_computer_account_management, - $m_other_account_management, - $m_security_group_management, - $m_user_account_management - ) - ColorPrint -line $line -category "Detailed Tracking" -sub_categories @( - $m_plug_and_play_events, - $m_process_creation, - $m_process_termination, - $m_rpc_events, - $m_token_right_adjusted_events - ) - ColorPrint -line $line -category "DS (Directory Service) Access" -sub_categories @( - $m_directory_service_access, - $m_directory_service_changes - ) - ColorPrint -line $line -category "Logon/Logoff" -sub_categories @( - $m_account_lockout, - $m_group_membership, - $m_logoff, - $m_logon, - $m_other_logon_logoff_events, - $m_special_logon - ) - ColorPrint -line $line -category "Object Access" -sub_categories @( - $m_certification_services, - $m_detailed_file_share, - $m_file_share, - $m_file_system, - $m_filtering_platform_connection, - $m_filtering_platform_packet_drop, - $m_kernel_object, - $m_handle_manipulation, - $m_other_object_access_events, - $m_registry, - $m_removable_storage, - $m_sam - ) - ColorPrint -line $line -category "Policy Change" -sub_categories @( - $m_audit_policy_change, - $m_authentication_policy_change, - $m_authorization_policy_change, - $m_filtering_platform_policy_change, - $m_mpssvc_rule_level_policy_change, - $m_other_policy_change_events - ) - ColorPrint -line $line -category "Privilege Use" -sub_categories @( - $m_non_sensitive_use_events, - $m_sensitive_privilege_use - ) - ColorPrint -line $line -category "System" -sub_categories @( - $m_other_system_events, - $m_security_state_change, - $m_security_system_extension, - $m_system_integrity - ) - if ($line -match '.*disabled.*\(') { - Write-Host $line -ForegroundColor Red - } elseif ($line -match '.*enabled.*\(') { - Write-Host $line -ForegroundColor Green - } elseif ($line -match '.*no rules.*') { - Write-Host $line -ForegroundColor DarkYellow - } else { - if ($line -notmatch "Account Logon" -and $line -notmatch "Account Management" -and $line -notmatch "Detailed Tracking" -and $line -notmatch "DS \(Directory Service\) Access" -and $line -notmatch "Logon/Logoff" -and $line -notmatch "Object Access" -and $line -notmatch "Policy Change" -and $line -notmatch "Privilege Use" -and $line -notmatch "System") { - Write-Host $line - } - } - } - Write-Host "" -} \ No newline at end of file