CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-19 07:23:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #17 from Yamato-Security/8-verbose-sec-info

Browse Source 
feat: Verbose Security info
This commit is contained in:
Zach Mathis (田中ザック)
2025-04-05 08:40:44 +09:00
committed by GitHub
parent f79b96e95b e9116458bf
commit e99a843ba7
3 changed files with 378 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
WELA.ps1
View File

@@ -1,4 +1,5 @@
Import-Module -Name ./WELAFunctions.psm1
Import-Module -Name ./WELAVerboseSecAudit.psm1
$logo = @"
@@ -67,10 +68,11 @@ $totalUsablePwsClaRate = CalculateTotalUsableRate -usableRate $usablePwsClaRate
$totalUsablePwsModRate = CalculateTotalUsableRate -usableRate $usablePwsModRate
$totalUsablePwsScrRate = CalculateTotalUsableRate -usableRate $usablePwsScrRate
ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)"
ShowRulesCountsByLevel -usableRate $usablePwsClaRate -msg "PowerShell classic logging detection rules: " -colorMsg "$totalUsablePwsClaRate (Enabled)"
ShowRulesCountsByLevel -usableRate $usablePwsModRate -msg "PowerShell module logging detection rules: " -colorMsg "$totalUsablePwsModRate ($pwsModStatus)"
ShowRulesCountsByLevel -usableRate $usablePwsScrRate -msg "PowerShell script block logging detection rules: " -colorMsg "$totalUsablePwsScrRate ($pwsSrcStatus)"
ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)"
ShowVerboseSecurity -rules $rules
Write-Output "Usable detection rules list saved to: UsableRules.csv"
Write-Output "Unusable detection rules list saved to: UnusableRules.csv"

4
WELAFunctions.psm1
View File

@@ -220,8 +220,4 @@ function Test-IsAdministrator {
return (New-Object Security.Principal.WindowsPrincipal($currentUser)).IsInRole($adminRole)
}
if (-not (Test-IsAdministrator)) {
Write-Output "This script must be run as an Administrator."
exit
}

375
WELAVerboseSecAudit.psm1 Normal file
View File

@@ -0,0 +1,375 @@
function CountRules {
param (
[string]$guid,
[array]$rules
)
$filterd_rules = $rules | Where-Object { $_.subcategory_guids -contains $guid }
if ($filterd_rules.Count -eq 0) {
return "no rules"
}
$counts = @{
critical = 0
high = 0
medium = 0
low = 0
informational = 0
}
foreach ($rule in $filterd_rules) {
if ($counts.ContainsKey($rule.level)) {
$counts[$rule.level]++
}
}
$status = if ($filterd_rules[0].applicable) { "enabled" } else { "disabled" }
$result = "$status (critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))"
return $result
}
function ColorPrint {
param (
[string]$line,
[string]$category,
[array]$sub_categories
)
if ($line.Trim() -eq $category.Trim()) {
$allEnabled = $true
$allDisabled = $true
foreach ($sub_category in $sub_categories) {
if ($sub_category -notmatch 'enabled') {
$allEnabled = $false
}
if ($sub_category -notmatch 'disabled') {
$allDisabled = $false
}
}
if ($allEnabled) {
Write-Host $category -ForegroundColor Green
} elseif ($allDisabled) {
Write-Host $category -ForegroundColor Red
} else {
Write-Host $category -ForegroundColor DarkYellow
}
}
}
function ShowVerboseSecurity {
param (
[array]$rules
)
$m_credential_validation = CountRules -guid "0CCE923F-69AE-11D9-BED3-505054503030" -rules $rules
$m_kerberos_authentication_service = CountRules -guid "0CCE9242-69AE-11D9-BED3-505054503030" -rules $rules
$m_kerberos_sevice_ticket_operations = CountRules -guid "0CCE9240-69AE-11D9-BED3-505054503030" -rules $rules
$m_computer_account_management = CountRules -guid "0CCE9236-69AE-11D9-BED3-505054503030" -rules $rules
$m_other_account_management = CountRules -guid "0CCE923A-69AE-11D9-BED3-505054503030" -rules $rules
$m_security_group_management = CountRules -guid "0CCE9237-69AE-11D9-BED3-505054503030" -rules $rules
$m_user_account_management = CountRules -guid "0CCE9235-69AE-11D9-BED3-505054503030" -rules $rules
$m_plug_and_play_events = CountRules -guid "0CCE9248-69AE-11D9-BED3-505054503030" -rules $rules
$m_process_creation = CountRules -guid "0CCE922B-69AE-11D9-BED3-505054503030" -rules $rules
$m_process_termination = CountRules -guid "0CCE922C-69AE-11D9-BED3-505054503030" -rules $rules
$m_rpc_events = CountRules -guid "0CCE922E-69AE-11D9-BED3-505054503030" -rules $rules
$m_token_right_adjusted_events = CountRules -guid "0CCE924A-69AE-11D9-BED3-505054503030" -rules $rules
$m_directory_service_access = CountRules -guid "0CCE923B-69AE-11D9-BED3-505054503030" -rules $rules
$m_directory_service_changes = CountRules -guid "0CCE923C-69AE-11D9-BED3-505054503030" -rules $rules
$m_account_lockout = CountRules -guid "0CCE9217-69AE-11D9-BED3-505054503030" -rules $rules
$m_group_membership = CountRules -guid "0CCE9249-69AE-11D9-BED3-505054503030" -rules $rules
$m_logoff = CountRules -guid "0CCE9216-69AE-11D9-BED3-505054503030" -rules $rules
$m_logon = CountRules -guid "0CCE9215-69AE-11D9-BED3-505054503030" -rules $rules
$m_other_logon_logoff_events = CountRules -guid "0CCE921C-69AE-11D9-BED3-505054503030" -rules $rules
$m_special_logon = CountRules -guid "0CCE921B-69AE-11D9-BED3-505054503030" -rules $rules
$m_certification_services = CountRules -guid "0CCE9221-69AE-11D9-BED3-505054503030" -rules $rules
$m_detailed_file_share = CountRules -guid "0CCE9244-69AE-11D9-BED3-505054503030" -rules $rules
$m_file_share = CountRules -guid "0CCE9224-69AE-11D9-BED3-505054503030" -rules $rules
$m_file_system = CountRules -guid "0CCE921D-69AE-11D9-BED3-505054503030" -rules $rules
$m_filtering_platform_connection = CountRules -guid "0CCE9226-69AE-11D9-BED3-505054503030" -rules $rules
$m_filtering_platform_packet_drop = CountRules -guid "0CCE9225-69AE-11D9-BED3-505054503030" -rules $rules
$m_kernel_object = CountRules -guid "0CCE921F-69AE-11D9-BED3-505054503030" -rules $rules
$m_handle_manipulation = CountRules -guid "0CCE9223-69AE-11D9-BED3-505054503030" -rules $rules
$m_other_object_access_events = CountRules -guid "0CCE9227-69AE-11D9-BED3-505054503030" -rules $rules
$m_registry = CountRules -guid "0CCE921E-69AE-11D9-BED3-505054503030" -rules $rules
$m_removable_storage = CountRules -guid "0CCE9245-69AE-11D9-BED3-505054503030" -rules $rules
$m_sam = CountRules -guid "0CCE9220-69AE-11D9-BED3-505054503030" -rules $rules
$m_audit_policy_change = CountRules -guid "0CCE922F-69AE-11D9-BED3-505054503030" -rules $rules
$m_authentication_policy_change = CountRules -guid "0CCE9230-69AE-11D9-BED3-505054503030" -rules $rules
$m_authorization_policy_change = CountRules -guid "0CCE9231-69AE-11D9-BED3-505054503030" -rules $rules
$m_filtering_platform_policy_change = CountRules -guid "0CCE9233-69AE-11D9-BED3-505054503030" -rules $rules
$m_mpssvc_rule_level_policy_change = CountRules -guid "0CCE9232-69AE-11D9-BED3-505054503030" -rules $rules
$m_other_policy_change_events = CountRules -guid "0CCE9234-69AE-11D9-BED3-505054503030" -rules $rules
$m_non_sensitive_use_events = CountRules -guid "0CCE9229-69AE-11D9-BED3-505054503030" -rules $rules
$m_sensitive_privilege_use = CountRules -guid "0CCE9228-69AE-11D9-BED3-505054503030" -rules $rules
$m_other_system_events = CountRules -guid "0CCE9214-69AE-11D9-BED3-505054503030" -rules $rules
$m_security_state_change = CountRules -guid "0CCE9210-69AE-11D9-BED3-505054503030" -rules $rules
$m_security_system_extension = CountRules -guid "0CCE9211-69AE-11D9-BED3-505054503030" -rules $rules
$m_system_integrity = CountRules -guid "0CCE9212-69AE-11D9-BED3-505054503030" -rules $rules
$msg = @"
Detailed Security category settings:
Account Logon
- Credential Validation: $m_credential_validation
- Volume: Depends on NTLM usage. Could be high on DCs and low on clients and servers.
- Default settings: Client OS: No Auditing | Server OS: Success
- Recommended settings: Client and Server OSes: Success and Failure
- Kerberos Authentication Service: $m_kerberos_authentication_service
- Volume: High
- Default settings: Client OS: No Auditing | Server OS: Success
- Recommended settings: Client OS: No Auditing | Server OS: Success and Failure
- Kerberos Service Ticket Operations: $m_kerberos_sevice_ticket_operations
- Volume: High
- Default settings: Client OS: No Auditing | Server OS: Success
- Recommended settings: Domain Controllers: Success and Failure
Account Management
- Computer Account Management: $m_computer_account_management
- Volume: Low
- Default settings: Client OS: No Auditing | Server OS: Success Only
- Recommended settings: Domain Controllers: Success and Failure
- Other Account Management Events: $m_other_account_management
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Security Group Management: $m_security_group_management
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- User Account Management: $m_user_account_management
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
Detailed Tracking
- Plug and Play Events: $m_plug_and_play_events
- Volume: Typcially low
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Process Creation: $m_process_creation
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure if sysmon is not configured.
- Process Termination: $m_process_termination
- Volume: High
- Default settings: No Auditing
- Recommended settings: No Auditing unless you want to track the lifespan of processes.
- RPC (Remote Procedure Call) Events: $m_rpc_events
- Volume: High on RPC servers (According to Microsoft)
- Default settings: No Auditing
- Recommended settings: Unknown. Needs testing.
- Token Right Adjusted Events: $m_token_right_adjusted_events
- Volume: Unknown
- Default settings: No Auditing
- Recommended settings: Unknown. Needs testing.
DS (Directory Service) Access
- Directory Service Access: $m_directory_service_access
- Volume: High
- Default settings: Client OS: No Auditing | Server OS: Success
- Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure
- Directory Service Changes: $m_directory_service_changes
- Volume: High
- Default settings: No Auditing
- Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure
Logon/Logoff
- Account Lockout: $m_account_lockout
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- Group Membership: $m_group_membership
- Volume: Adds an extra 4627 event to every logon.
- Default settings: No Auditing
- Recommended settings: No Auditing
- Logoff: $m_logoff
- Volume: High
- Default settings: Success
- Recommended settings: Success
- Logon: $m_logon
- Volume: Low on clients, medium on DCs or network servers
- Default settings: Client OS: Success | Server OS: Success and Failure
- Recommended settings: Success and Failure
- Other Logon/Logoff Events: $m_other_logon_logoff_events
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Special Logon: $m_special_logon
- Volume: Low on clients. Medium on DC or network servers.
- Default settings: Success
- Recommended settings: Success and Failure
Object Access
- Certification Services: $m_certification_services
- Volume: Low to medium
- Default settings: No Auditing
- Recommended settings: Success and Failure for AD CS role servers.
- Detailed File Share: $m_detailed_file_share
- Volume: Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement.
- Default settings: No Auditing
- Recommended settings: No Auditing due to the high noise level. Enable if you can though.
- File Share: $m_file_share
- Volume: High for file servers and DCs.
- Default settings: No Auditing
- Recommended settings: Success and Failure
- File System: $m_file_system
- Volume: Depends on SACL rules
- Default settings: No Auditing
- Recommended settings: Enable SACLs just for sensitive files
- Filtering Platform Connection: $m_filtering_platform_connection
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though.
- Filtering Platform Packet Drop: $m_filtering_platform_packet_drop
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though.
- Kernel Object: $m_kernel_object
- Volume: High if auditing access of global object access is enabled
- Default settings: No Auditing
- Recommended settings: Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events.
- Handle Manipulation: $m_handle_manipulation
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Other Object Access Events: $m_other_object_access_events
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Success and Failure
- Registry: $m_registry
- Volume: Depends on SACLs
- Default settings: No Auditing
- Recommended settings: Set SACLs for only the registry keys that you want to monitor
- Removable Storage: $m_removable_storage
- Volume: Depends on how much removable storage is used
- Default settings: No Auditing
- Recommended settings: Success and Failure if you want to monitor external device usage.
- SAM: $m_sam
- Volume: High volume of events on Domain Controllers
- Default settings: No Auditing
- Recommended settings: Success and Failure if you can but may cause too high volume of noise so should be tested beforehand.
Policy Change
- Audit Policy Change: $m_audit_policy_change
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- Authentication Policy Change: $m_authentication_policy_change
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- Authorization Policy Change: $m_authorization_policy_change
- Volume: Medium to High
- Default settings: No Auditing
- Recommended settings: Unknown. Needs testing.
- Filtering Platform Policy Change: $m_filtering_platform_policy_change
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Unknown, Needs testing.
- MPSSVC Rule-Level Policy Change: $m_mpssvc_rule_level_policy_change
- Volume: Low
- Default settings: No Auditing
- Recommended settings: Unknown. Needs testing.
- Other Policy Change Events: $m_other_policy_change_events
- Volume: Low
- Default settings: No Auditing
- Recommended settings: No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.)
Privilege Use
- Non Sensitive Use Events: $m_non_sensitive_use_events
- Volume: Very high
- Default settings: No Auditing
- Recommended settings: No Auditing
- Sensitive Privilege Use: $m_sensitive_privilege_use
- Volume: High
- Default settings: No Auditing
- Recommended settings: Success and Failure However, this may be too noisy.
System
- Other System Events: $m_other_system_events
- Volume: Low
- Default settings: Success and Failure
- Recommended settings: Unknown. Needs testing.
- Security State Change: $m_security_state_change
- Volume: Low
- Default settings: Success
- Recommended settings: Success and Failure
- Security System Extension: $m_security_system_extension
- Volume: Low, but more on DCs
- Default settings: No Auditing
- Recommended settings: Success and Failure
- System Integrity: $m_system_integrity
- Volume: Low
- Default settings: Sucess, Failure
- Recommended settings: Success and Failure
"@
$msgLines = $msg -split "`n"
foreach ($line in $msgLines) {
ColorPrint -line $line -category "Account Logon" -sub_categories @(
$m_credential_validation,
$m_kerberos_authentication_service,
$m_kerberos_sevice_ticket_operations
)
ColorPrint -line $line -category "Account Management" -sub_categories @(
$m_computer_account_management,
$m_other_account_management,
$m_security_group_management,
$m_user_account_management
)
ColorPrint -line $line -category "Detailed Tracking" -sub_categories @(
$m_plug_and_play_events,
$m_process_creation,
$m_process_termination,
$m_rpc_events,
$m_token_right_adjusted_events
)
ColorPrint -line $line -category "DS (Directory Service) Access" -sub_categories @(
$m_directory_service_access,
$m_directory_service_changes
)
ColorPrint -line $line -category "Logon/Logoff" -sub_categories @(
$m_account_lockout,
$m_group_membership,
$m_logoff,
$m_logon,
$m_other_logon_logoff_events,
$m_special_logon
)
ColorPrint -line $line -category "Object Access" -sub_categories @(
$m_certification_services,
$m_detailed_file_share,
$m_file_share,
$m_file_system,
$m_filtering_platform_connection,
$m_filtering_platform_packet_drop,
$m_kernel_object,
$m_handle_manipulation,
$m_other_object_access_events,
$m_registry,
$m_removable_storage,
$m_sam
)
ColorPrint -line $line -category "Policy Change" -sub_categories @(
$m_audit_policy_change,
$m_authentication_policy_change,
$m_authorization_policy_change,
$m_filtering_platform_policy_change,
$m_mpssvc_rule_level_policy_change,
$m_other_policy_change_events
)
ColorPrint -line $line -category "Privilege Use" -sub_categories @(
$m_non_sensitive_use_events,
$m_sensitive_privilege_use
)
ColorPrint -line $line -category "System" -sub_categories @(
$m_other_system_events,
$m_security_state_change,
$m_security_system_extension,
$m_system_integrity
)
if ($line -match '.*disabled.*\(') {
Write-Host $line -ForegroundColor Red
} elseif ($line -match '.*enabled.*\(') {
Write-Host $line -ForegroundColor Green
} elseif ($line -match '.*no rules.*') {
Write-Host $line -ForegroundColor DarkYellow
} else {
if ($line -notmatch "Account Logon" -and $line -notmatch "Account Management" -and $line -notmatch "Detailed Tracking" -and $line -notmatch "DS \(Directory Service\) Access" -and $line -notmatch "Logon/Logoff" -and $line -notmatch "Object Access" -and $line -notmatch "Policy Change" -and $line -notmatch "Privilege Use" -and $line -notmatch "System") {
Write-Host $line
}
}
}
Write-Host ""
}