diff --git a/WELA.ps1 b/WELA.ps1 index 7d884f82..38b2544a 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1,4 +1,5 @@ Import-Module -Name ./WELAFunctions.psm1 +Import-Module -Name ./WELAVerboseSecAudit.psm1 $logo = @" ┏┓┏┓┏┳━━━┳┓ ┏━━━┓ ┃┃┃┃┃┃┏━━┫┃ ┃┏━┓┃ @@ -67,10 +68,11 @@ $totalUsablePwsClaRate = CalculateTotalUsableRate -usableRate $usablePwsClaRate $totalUsablePwsModRate = CalculateTotalUsableRate -usableRate $usablePwsModRate $totalUsablePwsScrRate = CalculateTotalUsableRate -usableRate $usablePwsScrRate -ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)" ShowRulesCountsByLevel -usableRate $usablePwsClaRate -msg "PowerShell classic logging detection rules: " -colorMsg "$totalUsablePwsClaRate (Enabled)" ShowRulesCountsByLevel -usableRate $usablePwsModRate -msg "PowerShell module logging detection rules: " -colorMsg "$totalUsablePwsModRate ($pwsModStatus)" ShowRulesCountsByLevel -usableRate $usablePwsScrRate -msg "PowerShell script block logging detection rules: " -colorMsg "$totalUsablePwsScrRate ($pwsSrcStatus)" +ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)" +ShowVerboseSecurity -rules $rules Write-Output "Usable detection rules list saved to: UsableRules.csv" Write-Output "Unusable detection rules list saved to: UnusableRules.csv" diff --git a/WELAFunctions.psm1 b/WELAFunctions.psm1 index 005aca1d..64e2bcbe 100644 --- a/WELAFunctions.psm1 +++ b/WELAFunctions.psm1 @@ -220,8 +220,4 @@ function Test-IsAdministrator { return (New-Object Security.Principal.WindowsPrincipal($currentUser)).IsInRole($adminRole) } -if (-not (Test-IsAdministrator)) { - Write-Output "This script must be run as an Administrator." - exit -} diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 new file mode 100644 index 00000000..5a712a4f --- /dev/null +++ b/WELAVerboseSecAudit.psm1 @@ -0,0 +1,375 @@ +function CountRules { + param ( + [string]$guid, + [array]$rules + ) + $filterd_rules = $rules | Where-Object { $_.subcategory_guids -contains $guid } + + if ($filterd_rules.Count -eq 0) { + return "no rules" + } + $counts = @{ + critical = 0 + high = 0 + medium = 0 + low = 0 + informational = 0 + } + + foreach ($rule in $filterd_rules) { + if ($counts.ContainsKey($rule.level)) { + $counts[$rule.level]++ + } + } + $status = if ($filterd_rules[0].applicable) { "enabled" } else { "disabled" } + $result = "$status (critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))" + return $result +} + +function ColorPrint { + param ( + [string]$line, + [string]$category, + [array]$sub_categories + ) + + if ($line.Trim() -eq $category.Trim()) { + $allEnabled = $true + $allDisabled = $true + + foreach ($sub_category in $sub_categories) { + if ($sub_category -notmatch 'enabled') { + $allEnabled = $false + } + if ($sub_category -notmatch 'disabled') { + $allDisabled = $false + } + } + + if ($allEnabled) { + Write-Host $category -ForegroundColor Green + } elseif ($allDisabled) { + Write-Host $category -ForegroundColor Red + } else { + Write-Host $category -ForegroundColor DarkYellow + } + } +} + +function ShowVerboseSecurity { + param ( + [array]$rules + ) + + $m_credential_validation = CountRules -guid "0CCE923F-69AE-11D9-BED3-505054503030" -rules $rules + $m_kerberos_authentication_service = CountRules -guid "0CCE9242-69AE-11D9-BED3-505054503030" -rules $rules + $m_kerberos_sevice_ticket_operations = CountRules -guid "0CCE9240-69AE-11D9-BED3-505054503030" -rules $rules + $m_computer_account_management = CountRules -guid "0CCE9236-69AE-11D9-BED3-505054503030" -rules $rules + $m_other_account_management = CountRules -guid "0CCE923A-69AE-11D9-BED3-505054503030" -rules $rules + $m_security_group_management = CountRules -guid "0CCE9237-69AE-11D9-BED3-505054503030" -rules $rules + $m_user_account_management = CountRules -guid "0CCE9235-69AE-11D9-BED3-505054503030" -rules $rules + $m_plug_and_play_events = CountRules -guid "0CCE9248-69AE-11D9-BED3-505054503030" -rules $rules + $m_process_creation = CountRules -guid "0CCE922B-69AE-11D9-BED3-505054503030" -rules $rules + $m_process_termination = CountRules -guid "0CCE922C-69AE-11D9-BED3-505054503030" -rules $rules + $m_rpc_events = CountRules -guid "0CCE922E-69AE-11D9-BED3-505054503030" -rules $rules + $m_token_right_adjusted_events = CountRules -guid "0CCE924A-69AE-11D9-BED3-505054503030" -rules $rules + $m_directory_service_access = CountRules -guid "0CCE923B-69AE-11D9-BED3-505054503030" -rules $rules + $m_directory_service_changes = CountRules -guid "0CCE923C-69AE-11D9-BED3-505054503030" -rules $rules + $m_account_lockout = CountRules -guid "0CCE9217-69AE-11D9-BED3-505054503030" -rules $rules + $m_group_membership = CountRules -guid "0CCE9249-69AE-11D9-BED3-505054503030" -rules $rules + $m_logoff = CountRules -guid "0CCE9216-69AE-11D9-BED3-505054503030" -rules $rules + $m_logon = CountRules -guid "0CCE9215-69AE-11D9-BED3-505054503030" -rules $rules + $m_other_logon_logoff_events = CountRules -guid "0CCE921C-69AE-11D9-BED3-505054503030" -rules $rules + $m_special_logon = CountRules -guid "0CCE921B-69AE-11D9-BED3-505054503030" -rules $rules + $m_certification_services = CountRules -guid "0CCE9221-69AE-11D9-BED3-505054503030" -rules $rules + $m_detailed_file_share = CountRules -guid "0CCE9244-69AE-11D9-BED3-505054503030" -rules $rules + $m_file_share = CountRules -guid "0CCE9224-69AE-11D9-BED3-505054503030" -rules $rules + $m_file_system = CountRules -guid "0CCE921D-69AE-11D9-BED3-505054503030" -rules $rules + $m_filtering_platform_connection = CountRules -guid "0CCE9226-69AE-11D9-BED3-505054503030" -rules $rules + $m_filtering_platform_packet_drop = CountRules -guid "0CCE9225-69AE-11D9-BED3-505054503030" -rules $rules + $m_kernel_object = CountRules -guid "0CCE921F-69AE-11D9-BED3-505054503030" -rules $rules + $m_handle_manipulation = CountRules -guid "0CCE9223-69AE-11D9-BED3-505054503030" -rules $rules + $m_other_object_access_events = CountRules -guid "0CCE9227-69AE-11D9-BED3-505054503030" -rules $rules + $m_registry = CountRules -guid "0CCE921E-69AE-11D9-BED3-505054503030" -rules $rules + $m_removable_storage = CountRules -guid "0CCE9245-69AE-11D9-BED3-505054503030" -rules $rules + $m_sam = CountRules -guid "0CCE9220-69AE-11D9-BED3-505054503030" -rules $rules + $m_audit_policy_change = CountRules -guid "0CCE922F-69AE-11D9-BED3-505054503030" -rules $rules + $m_authentication_policy_change = CountRules -guid "0CCE9230-69AE-11D9-BED3-505054503030" -rules $rules + $m_authorization_policy_change = CountRules -guid "0CCE9231-69AE-11D9-BED3-505054503030" -rules $rules + $m_filtering_platform_policy_change = CountRules -guid "0CCE9233-69AE-11D9-BED3-505054503030" -rules $rules + $m_mpssvc_rule_level_policy_change = CountRules -guid "0CCE9232-69AE-11D9-BED3-505054503030" -rules $rules + $m_other_policy_change_events = CountRules -guid "0CCE9234-69AE-11D9-BED3-505054503030" -rules $rules + $m_non_sensitive_use_events = CountRules -guid "0CCE9229-69AE-11D9-BED3-505054503030" -rules $rules + $m_sensitive_privilege_use = CountRules -guid "0CCE9228-69AE-11D9-BED3-505054503030" -rules $rules + $m_other_system_events = CountRules -guid "0CCE9214-69AE-11D9-BED3-505054503030" -rules $rules + $m_security_state_change = CountRules -guid "0CCE9210-69AE-11D9-BED3-505054503030" -rules $rules + $m_security_system_extension = CountRules -guid "0CCE9211-69AE-11D9-BED3-505054503030" -rules $rules + $m_system_integrity = CountRules -guid "0CCE9212-69AE-11D9-BED3-505054503030" -rules $rules + + $msg = @" +Detailed Security category settings: +Account Logon + - Credential Validation: $m_credential_validation + - Volume: Depends on NTLM usage. Could be high on DCs and low on clients and servers. + - Default settings: Client OS: No Auditing | Server OS: Success + - Recommended settings: Client and Server OSes: Success and Failure + - Kerberos Authentication Service: $m_kerberos_authentication_service + - Volume: High + - Default settings: Client OS: No Auditing | Server OS: Success + - Recommended settings: Client OS: No Auditing | Server OS: Success and Failure + - Kerberos Service Ticket Operations: $m_kerberos_sevice_ticket_operations + - Volume: High + - Default settings: Client OS: No Auditing | Server OS: Success + - Recommended settings: Domain Controllers: Success and Failure +Account Management + - Computer Account Management: $m_computer_account_management + - Volume: Low + - Default settings: Client OS: No Auditing | Server OS: Success Only + - Recommended settings: Domain Controllers: Success and Failure + - Other Account Management Events: $m_other_account_management + - Volume: Low + - Default settings: No Auditing + - Recommended settings: Success and Failure + - Security Group Management: $m_security_group_management + - Volume: Low + - Default settings: Success + - Recommended settings: Success and Failure + - User Account Management: $m_user_account_management + - Volume: Low + - Default settings: Success + - Recommended settings: Success and Failure +Detailed Tracking + - Plug and Play Events: $m_plug_and_play_events + - Volume: Typcially low + - Default settings: No Auditing + - Recommended settings: Success and Failure + - Process Creation: $m_process_creation + - Volume: High + - Default settings: No Auditing + - Recommended settings: Success and Failure if sysmon is not configured. + - Process Termination: $m_process_termination + - Volume: High + - Default settings: No Auditing + - Recommended settings: No Auditing unless you want to track the lifespan of processes. + - RPC (Remote Procedure Call) Events: $m_rpc_events + - Volume: High on RPC servers (According to Microsoft) + - Default settings: No Auditing + - Recommended settings: Unknown. Needs testing. + - Token Right Adjusted Events: $m_token_right_adjusted_events + - Volume: Unknown + - Default settings: No Auditing + - Recommended settings: Unknown. Needs testing. +DS (Directory Service) Access + - Directory Service Access: $m_directory_service_access + - Volume: High + - Default settings: Client OS: No Auditing | Server OS: Success + - Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure + - Directory Service Changes: $m_directory_service_changes + - Volume: High + - Default settings: No Auditing + - Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure +Logon/Logoff + - Account Lockout: $m_account_lockout + - Volume: Low + - Default settings: Success + - Recommended settings: Success and Failure + - Group Membership: $m_group_membership + - Volume: Adds an extra 4627 event to every logon. + - Default settings: No Auditing + - Recommended settings: No Auditing + - Logoff: $m_logoff + - Volume: High + - Default settings: Success + - Recommended settings: Success + - Logon: $m_logon + - Volume: Low on clients, medium on DCs or network servers + - Default settings: Client OS: Success | Server OS: Success and Failure + - Recommended settings: Success and Failure + - Other Logon/Logoff Events: $m_other_logon_logoff_events + - Volume: Low + - Default settings: No Auditing + - Recommended settings: Success and Failure + - Special Logon: $m_special_logon + - Volume: Low on clients. Medium on DC or network servers. + - Default settings: Success + - Recommended settings: Success and Failure +Object Access + - Certification Services: $m_certification_services + - Volume: Low to medium + - Default settings: No Auditing + - Recommended settings: Success and Failure for AD CS role servers. + - Detailed File Share: $m_detailed_file_share + - Volume: Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement. + - Default settings: No Auditing + - Recommended settings: No Auditing due to the high noise level. Enable if you can though. + - File Share: $m_file_share + - Volume: High for file servers and DCs. + - Default settings: No Auditing + - Recommended settings: Success and Failure + - File System: $m_file_system + - Volume: Depends on SACL rules + - Default settings: No Auditing + - Recommended settings: Enable SACLs just for sensitive files + - Filtering Platform Connection: $m_filtering_platform_connection + - Volume: High + - Default settings: No Auditing + - Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. + - Filtering Platform Packet Drop: $m_filtering_platform_packet_drop + - Volume: High + - Default settings: No Auditing + - Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. + - Kernel Object: $m_kernel_object + - Volume: High if auditing access of global object access is enabled + - Default settings: No Auditing + - Recommended settings: Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events. + - Handle Manipulation: $m_handle_manipulation + - Volume: High + - Default settings: No Auditing + - Recommended settings: Success and Failure + - Other Object Access Events: $m_other_object_access_events + - Volume: Low + - Default settings: No Auditing + - Recommended settings: Success and Failure + - Registry: $m_registry + - Volume: Depends on SACLs + - Default settings: No Auditing + - Recommended settings: Set SACLs for only the registry keys that you want to monitor + - Removable Storage: $m_removable_storage + - Volume: Depends on how much removable storage is used + - Default settings: No Auditing + - Recommended settings: Success and Failure if you want to monitor external device usage. + - SAM: $m_sam + - Volume: High volume of events on Domain Controllers + - Default settings: No Auditing + - Recommended settings: Success and Failure if you can but may cause too high volume of noise so should be tested beforehand. +Policy Change + - Audit Policy Change: $m_audit_policy_change + - Volume: Low + - Default settings: Success + - Recommended settings: Success and Failure + - Authentication Policy Change: $m_authentication_policy_change + - Volume: Low + - Default settings: Success + - Recommended settings: Success and Failure + - Authorization Policy Change: $m_authorization_policy_change + - Volume: Medium to High + - Default settings: No Auditing + - Recommended settings: Unknown. Needs testing. + - Filtering Platform Policy Change: $m_filtering_platform_policy_change + - Volume: Low + - Default settings: No Auditing + - Recommended settings: Unknown, Needs testing. + - MPSSVC Rule-Level Policy Change: $m_mpssvc_rule_level_policy_change + - Volume: Low + - Default settings: No Auditing + - Recommended settings: Unknown. Needs testing. + - Other Policy Change Events: $m_other_policy_change_events + - Volume: Low + - Default settings: No Auditing + - Recommended settings: No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.) +Privilege Use + - Non Sensitive Use Events: $m_non_sensitive_use_events + - Volume: Very high + - Default settings: No Auditing + - Recommended settings: No Auditing + - Sensitive Privilege Use: $m_sensitive_privilege_use + - Volume: High + - Default settings: No Auditing + - Recommended settings: Success and Failure However, this may be too noisy. +System + - Other System Events: $m_other_system_events + - Volume: Low + - Default settings: Success and Failure + - Recommended settings: Unknown. Needs testing. + - Security State Change: $m_security_state_change + - Volume: Low + - Default settings: Success + - Recommended settings: Success and Failure + - Security System Extension: $m_security_system_extension + - Volume: Low, but more on DCs + - Default settings: No Auditing + - Recommended settings: Success and Failure + - System Integrity: $m_system_integrity + - Volume: Low + - Default settings: Sucess, Failure + - Recommended settings: Success and Failure +"@ + + $msgLines = $msg -split "`n" + foreach ($line in $msgLines) { + ColorPrint -line $line -category "Account Logon" -sub_categories @( + $m_credential_validation, + $m_kerberos_authentication_service, + $m_kerberos_sevice_ticket_operations + ) + ColorPrint -line $line -category "Account Management" -sub_categories @( + $m_computer_account_management, + $m_other_account_management, + $m_security_group_management, + $m_user_account_management + ) + ColorPrint -line $line -category "Detailed Tracking" -sub_categories @( + $m_plug_and_play_events, + $m_process_creation, + $m_process_termination, + $m_rpc_events, + $m_token_right_adjusted_events + ) + ColorPrint -line $line -category "DS (Directory Service) Access" -sub_categories @( + $m_directory_service_access, + $m_directory_service_changes + ) + ColorPrint -line $line -category "Logon/Logoff" -sub_categories @( + $m_account_lockout, + $m_group_membership, + $m_logoff, + $m_logon, + $m_other_logon_logoff_events, + $m_special_logon + ) + ColorPrint -line $line -category "Object Access" -sub_categories @( + $m_certification_services, + $m_detailed_file_share, + $m_file_share, + $m_file_system, + $m_filtering_platform_connection, + $m_filtering_platform_packet_drop, + $m_kernel_object, + $m_handle_manipulation, + $m_other_object_access_events, + $m_registry, + $m_removable_storage, + $m_sam + ) + ColorPrint -line $line -category "Policy Change" -sub_categories @( + $m_audit_policy_change, + $m_authentication_policy_change, + $m_authorization_policy_change, + $m_filtering_platform_policy_change, + $m_mpssvc_rule_level_policy_change, + $m_other_policy_change_events + ) + ColorPrint -line $line -category "Privilege Use" -sub_categories @( + $m_non_sensitive_use_events, + $m_sensitive_privilege_use + ) + ColorPrint -line $line -category "System" -sub_categories @( + $m_other_system_events, + $m_security_state_change, + $m_security_system_extension, + $m_system_integrity + ) + if ($line -match '.*disabled.*\(') { + Write-Host $line -ForegroundColor Red + } elseif ($line -match '.*enabled.*\(') { + Write-Host $line -ForegroundColor Green + } elseif ($line -match '.*no rules.*') { + Write-Host $line -ForegroundColor DarkYellow + } else { + if ($line -notmatch "Account Logon" -and $line -notmatch "Account Management" -and $line -notmatch "Detailed Tracking" -and $line -notmatch "DS \(Directory Service\) Access" -and $line -notmatch "Logon/Logoff" -and $line -notmatch "Object Access" -and $line -notmatch "Policy Change" -and $line -notmatch "Privilege Use" -and $line -notmatch "System") { + Write-Host $line + } + } + } + Write-Host "" +} \ No newline at end of file