CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 09:12:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

refactor

Browse Source
This commit is contained in:
fukusuket
2025-03-22 15:22:15 +09:00
parent 48ed63e36a
commit e23d6430a1
1 changed files with 21 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
WELA.ps1
View File

@@ -1,12 +1,4 @@
Import-Module -Name ./WELAFunctions.psm1 Import-Module -Name ./WELAFunctions.psm1
# Set the console encoding to UTF-8
[Console]::OutputEncoding = [System.Text.Encoding]::UTF8
# Step 1: Run the auditpol command using cmd.exe and redirect its output to a file
$autidpolTxt = "auditpol_output.txt"
Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt
$logo = @" $logo = @"
@@ -17,14 +9,21 @@ $logo = @"
by Yamato Security by Yamato Security
"@ "@
# Set the console encoding to UTF-8
[Console]::OutputEncoding = [System.Text.Encoding]::UTF8
# Step 1: Run the auditpol command using cmd.exe and redirect its output to a file
$autidpolTxt = "auditpol_output.txt"
Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt
Write-Host $logo -ForegroundColor Green Write-Host $logo -ForegroundColor Green
# Step 3: Set the applicable flag for each rule # Step 3: Set the applicable flag for each rule
$rules = Set-Applicable -autidpolTxt $autidpolTxt -jsonRulePath "./config/security_rules.json" $rules = Set-Applicable -autidpolTxt $autidpolTxt -jsonRulePath "./config/security_rules.json"
$allSecRules = $rules | Where-Object { $_.channel -eq "sec" } $allSecRules = $rules | Where-Object { $_.channel -eq "sec" }
$allPwsClaRules = $rules | Where-Object { $_.channel -eq "pwsh" -and $_.event_ids -contains "400" } $allPwsClaRules = $rules | Where-Object { $_.channel -eq "pwsh" -and ($_.event_ids -contains "400" -or $_.event_ids -contains "600" -or $_.event_ids.Count -eq 0) }
$allPwsModRules = $rules | Where-Object { $_.channel -eq "pwsh" -and $_.event_ids -contains "4103" } $allPwsModRules = $rules | Where-Object { $_.channel -eq "pwsh" -and $_.event_ids -contains "4103" }
$allPwsScrRules = $rules | Where-Object { $_.channel -eq "pwsh" -and $_.event_ids -contains "4104" } $allPwsScrRules = $rules | Where-Object { $_.channel -eq "pwsh" -and $_.event_ids -contains "4104" }
@@ -34,8 +33,6 @@ $usablePwsClaRules = $rules | Where-Object { $_.applicable -eq $true -and $_.cha
$usablePwsModRules = $rules | Where-Object { $_.applicable -eq $true -and $_.channel -eq "pwsh" -and $_.event_ids -contains "4103" } $usablePwsModRules = $rules | Where-Object { $_.applicable -eq $true -and $_.channel -eq "pwsh" -and $_.event_ids -contains "4103" }
$usablePwsScrRules = $rules | Where-Object { $_.applicable -eq $true -and $_.channel -eq "pwsh" -and $_.event_ids -contains "4104" } $usablePwsScrRules = $rules | Where-Object { $_.applicable -eq $true -and $_.channel -eq "pwsh" -and $_.event_ids -contains "4104" }
$unusableRules = $rules | Where-Object { $_.applicable -eq $false }
# Step 4: Count the number of usable and unusable rules for each level # Step 4: Count the number of usable and unusable rules for each level
$totalCounts = Get-RuleCounts -rules $rules $totalCounts = Get-RuleCounts -rules $rules
$totalSecCounts = Get-RuleCounts -rules $allSecRules $totalSecCounts = Get-RuleCounts -rules $allSecRules
@@ -83,5 +80,6 @@ $utilizationPercentage = "{0:N2}" -f (($totalUsable / $totalRulesCount) * 100)
Write-Output "You can utilize $utilizationPercentage% of your detection rules." Write-Output "You can utilize $utilizationPercentage% of your detection rules."
# Step 8: Save the lists of usable and unusable rules to CSV files # Step 8: Save the lists of usable and unusable rules to CSV files
$unusableRules = $rules | Where-Object { $_.applicable -eq $false }
$usableSecRules | Select-Object title, level, id | Export-Csv -Path "UsableRules.csv" -NoTypeInformation $usableSecRules | Select-Object title, level, id | Export-Csv -Path "UsableRules.csv" -NoTypeInformation
$unusableRules | Select-Object title, level, id | Export-Csv -Path "UnusableRules.csv" -NoTypeInformation $unusableRules | Select-Object title, level, id | Export-Csv -Path "UnusableRules.csv" -NoTypeInformation