From 25de744482b35f23809405abb35ce89a5118af68 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sat, 29 Mar 2025 07:16:05 +0900 Subject: [PATCH 01/70] feat: verbose security --- WELA.ps1 | 1 + WELAAuditMsg.psm1 | 191 +++++++++++++++++++++++++++++++++++++++++++++ WELAFunctions.psm1 | 4 - 3 files changed, 192 insertions(+), 4 deletions(-) create mode 100644 WELAAuditMsg.psm1 diff --git a/WELA.ps1 b/WELA.ps1 index 7d884f82..232468ee 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -68,6 +68,7 @@ $totalUsablePwsModRate = CalculateTotalUsableRate -usableRate $usablePwsModRate $totalUsablePwsScrRate = CalculateTotalUsableRate -usableRate $usablePwsScrRate ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)" +ShowVerboseSecurity ShowRulesCountsByLevel -usableRate $usablePwsClaRate -msg "PowerShell classic logging detection rules: " -colorMsg "$totalUsablePwsClaRate (Enabled)" ShowRulesCountsByLevel -usableRate $usablePwsModRate -msg "PowerShell module logging detection rules: " -colorMsg "$totalUsablePwsModRate ($pwsModStatus)" ShowRulesCountsByLevel -usableRate $usablePwsScrRate -msg "PowerShell script block logging detection rules: " -colorMsg "$totalUsablePwsScrRate ($pwsSrcStatus)" diff --git a/WELAAuditMsg.psm1 b/WELAAuditMsg.psm1 new file mode 100644 index 00000000..670c44fe --- /dev/null +++ b/WELAAuditMsg.psm1 @@ -0,0 +1,191 @@ +function ShowVerboseSecurity { + $msg = @" +Account Logon + - Credential Validation $m_credential_validation + - Volume: ``Depends on NTLM usage. Could be high on DCs and low on clients and servers.`` + - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success`` + - Recommended settings: ``Client and Server OSes: Success and Failure`` + - Kerberos Authentication Service $m_kerberos_authentication_service + - Volume: ``High`` + - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success`` + - Recommended settings: ``Client OS: No Auditing`` | ``Server OS: Success and Failure`` + - Kerberos Service Ticket Operations $m_kerberos_sevice_ticket_operations + - Volume: ``High`` + - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success`` + - Recommended settings: ``Domain Controllers: Success and Failure`` +Account Management + - Computer Account Management $m_computer_account_management + - Volume: ``Low`` + - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success Only`` + - Recommended settings: ``Domain Controllers: Success and Failure`` + - Other Account Management Events $m_other_account_management + - Volume: ``Low`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` + - Security Group Management $m_security_group_management + - Volume: ``Low`` + - Default settings: ``Success`` + - Recommended settings: ``Success and Failure`` + - User Account Management $m_user_account_management + - Volume: ``Low`` + - Default settings: ``Success`` + - Recommended settings: ``Success and Failure`` +Detailed Tracking + - Plug and Play Events $m_plug_and_play_events + - Volume: ``Typcially low`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` + - Process Creation $m_process_creation + - Volume: ``High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` if sysmon is not configured. + - Process Termination $m_process_termination + - Volume: ``High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``No Auditing`` unless you want to track the lifespan of processes. + - RPC (Remote Procedure Call) Events $m_rpc_events + - Volume: ``High on RPC servers`` (According to Microsoft) + - Default settings: ``No Auditing`` + - Recommended settings: ``Unknown. Needs testing.`` + - Token Right Adjusted Events $m_token_right_adjusted_events + - Volume: ``Unknown`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Unknown. Needs testing.`` +DS (Directory Service) Access + - Directory Service Access $m_directory_service_access + - Volume: ``High`` + - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success`` + - Recommended settings: ``Client OS: No Auditing`` | ``ADDS Server: Success and Failure`` + - Directory Service Changes + - Volume: ``High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Client OS: No Auditing`` | ``ADDS Server: Success and Failure`` +Logon/Logoff + - Account Lockout $m_account_lockout + - Volume: ``Low`` + - Default settings: ``Success`` + - Recommended settings: ``Success and Failure`` + - Group Membership + - Volume: Adds an extra ``4627`` event to every logon. + - Default settings: ``No Auditing`` + - Recommended settings: ``No Auditing`` + - Logoff $m_logoff + - Volume: ``High`` + - Default settings: ``Success`` + - Recommended settings: ``Success`` + - Logon $m_logon + - Volume: ``Low on clients, medium on DCs or network servers`` + - Default settings: ``Client OS: Success`` | ``Server OS: Success and Failure`` + - Recommended settings: ``Success and Failure`` + - Other Logon/Logoff Events $m_other_logon_logoff_events + - Volume: ``Low`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` + - Special Logon $m_special_logon + - Volume: ``Low on clients. Medium on DC or network servers.`` + - Default settings: ``Success`` + - Recommended settings: ``Success and Failure`` +Object Access + - Certification Services $m_certification_services + - Volume: ``Low to medium`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` for AD CS role servers. + - Detailed File Share $m_detailed_file_share + - Volume: ``Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement.`` + - Default settings: ``No Auditing`` + - Recommended settings: ``No Auditing`` due to the high noise level. Enable if you can though. + - File Share $m_file_share + - Volume: ``High for file servers and DCs.`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` + - File System $m_file_system + - Volume: ``Depends on SACL rules`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Enable SACLs just for sensitive files`` + - Filtering Platform Connection $m_filtering_platform_connection + - Volume: ``High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. + - Filtering Platform Packet Drop $m_filtering_platform_packet_drop + - Volume: ``High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. + - Kernel Object $m_kernel_object + - Volume: ``High if auditing access of global object access is enabled`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` but do not enable ``Audit the access of global system objects`` as you will generate too many ``4663: Object Access`` events. + - Handle Manipulation $m_handle_manipulation + - Volume: ``High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` + - Other Object Access Events $m_other_object_access_events + - Volume: ``Low`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` + - Registry $m_registry + - Volume: ``Depends on SACLs`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Set SACLs for only the registry keys that you want to monitor`` + - Removable Storage $m_removable_storage + - Volume: ``Depends on how much removable storage is used`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` if you want to monitor external device usage. + - SAM $m_sam + - Volume: ``High volume of events on Domain Controllers`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` if you can but may cause too high volume of noise so should be tested beforehand. +Policy Change + - Audit Policy Change $m_audit_policy_change + - Volume: ``Low`` + - Default settings: ``Success`` + - Recommended settings: ``Success and Failure`` + - Authentication Policy Change $m_authentication_policy_change + - Volume: ``Low`` + - Default settings: ``Success`` + - Recommended settings: ``Success and Failure`` + - Authorization Policy Change $m_authorization_policy_change + - Volume: ``Medium to High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Unknown. Needs testing.`` + - Filtering Platform Policy Change $m_filtering_platform_policy_change + - Volume: ``Low`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Unknown, Needs testing.`` + - MPSSVC Rule-Level Policy Change $m_mpssvc_rule_level_policy_change + - Volume: ``Low`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Unknown. Needs testing.`` + - Other Policy Change Events $m_other_policy_change_events + - Volume: ``Low`` + - Default settings: ``No Auditing`` + - Recommended settings: ``No Auditing`` (Note: ACSC recommends ``Success and Failure``, however, this results in a lot of noise of ``5447 (A Windows Filtering Platform filter has been changed)`` events being generated.) +Privilege Use + - Non Sensitive Use Events $m_non_sensitive_use_events + - Volume: ``Very high`` + - Default settings: ``No Auditing`` + - Recommended settings: ``No Auditing`` + - Sensitive Privilege Use $m_sensitive_privilege_use + - Volume: ``High`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` However, this may be too noisy. +System + - Other System Events $m_other_system_events + - Volume: ``Low`` + - Default settings: ``Success and Failure`` + - Recommended settings: ``Unknown. Needs testing.`` + - Security State Change $m_security_state_change + - Volume: ``Low`` + - Default settings: ``Success`` + - Recommended settings: ``Success and Failure`` + - Security System Extension $m_security_system_extension + - Volume: ``Low, but more on DCs`` + - Default settings: ``No Auditing`` + - Recommended settings: ``Success and Failure`` + - System Integrity $m_system_integrity + - Volume: ``Low`` + - Default settings: ``Sucess, Failure`` + - Recommended settings: ``Success and Failure`` +"@ + Write-Host $msg +} + diff --git a/WELAFunctions.psm1 b/WELAFunctions.psm1 index 005aca1d..64e2bcbe 100644 --- a/WELAFunctions.psm1 +++ b/WELAFunctions.psm1 @@ -220,8 +220,4 @@ function Test-IsAdministrator { return (New-Object Security.Principal.WindowsPrincipal($currentUser)).IsInRole($adminRole) } -if (-not (Test-IsAdministrator)) { - Write-Output "This script must be run as an Administrator." - exit -} From d78dea1fa4419a29ae27b5f0780b8ae231235a78 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sat, 29 Mar 2025 08:25:42 +0900 Subject: [PATCH 02/70] feat: verbose security --- WELA.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/WELA.ps1 b/WELA.ps1 index 232468ee..6bf8f367 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1,4 +1,5 @@ Import-Module -Name ./WELAFunctions.psm1 +Import-Module -Name ./WELAAuditMsg.psm1 $logo = @" ┏┓┏┓┏┳━━━┳┓ ┏━━━┓ ┃┃┃┃┃┃┏━━┫┃ ┃┏━┓┃ From 4211fd5de5eee31a9dff341962a5d425f0bd3f5f Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sat, 29 Mar 2025 08:28:17 +0900 Subject: [PATCH 03/70] feat: verbose security --- WELA.ps1 | 2 +- WELAAuditMsg.psm1 | 264 +++++++++++++++++++++++----------------------- 2 files changed, 133 insertions(+), 133 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 6bf8f367..2f35192c 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -69,10 +69,10 @@ $totalUsablePwsModRate = CalculateTotalUsableRate -usableRate $usablePwsModRate $totalUsablePwsScrRate = CalculateTotalUsableRate -usableRate $usablePwsScrRate ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)" -ShowVerboseSecurity ShowRulesCountsByLevel -usableRate $usablePwsClaRate -msg "PowerShell classic logging detection rules: " -colorMsg "$totalUsablePwsClaRate (Enabled)" ShowRulesCountsByLevel -usableRate $usablePwsModRate -msg "PowerShell module logging detection rules: " -colorMsg "$totalUsablePwsModRate ($pwsModStatus)" ShowRulesCountsByLevel -usableRate $usablePwsScrRate -msg "PowerShell script block logging detection rules: " -colorMsg "$totalUsablePwsScrRate ($pwsSrcStatus)" +ShowVerboseSecurity Write-Output "Usable detection rules list saved to: UsableRules.csv" Write-Output "Unusable detection rules list saved to: UnusableRules.csv" diff --git a/WELAAuditMsg.psm1 b/WELAAuditMsg.psm1 index 670c44fe..428df889 100644 --- a/WELAAuditMsg.psm1 +++ b/WELAAuditMsg.psm1 @@ -2,189 +2,189 @@ function ShowVerboseSecurity { $msg = @" Account Logon - Credential Validation $m_credential_validation - - Volume: ``Depends on NTLM usage. Could be high on DCs and low on clients and servers.`` - - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success`` - - Recommended settings: ``Client and Server OSes: Success and Failure`` + - Volume: Depends on NTLM usage. Could be high on DCs and low on clients and servers. + - Default settings: Client OS: No Auditing | Server OS: Success + - Recommended settings: Client and Server OSes: Success and Failure - Kerberos Authentication Service $m_kerberos_authentication_service - - Volume: ``High`` - - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success`` - - Recommended settings: ``Client OS: No Auditing`` | ``Server OS: Success and Failure`` + - Volume: High + - Default settings: Client OS: No Auditing | Server OS: Success + - Recommended settings: Client OS: No Auditing | Server OS: Success and Failure - Kerberos Service Ticket Operations $m_kerberos_sevice_ticket_operations - - Volume: ``High`` - - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success`` - - Recommended settings: ``Domain Controllers: Success and Failure`` + - Volume: High + - Default settings: Client OS: No Auditing | Server OS: Success + - Recommended settings: Domain Controllers: Success and Failure Account Management - Computer Account Management $m_computer_account_management - - Volume: ``Low`` - - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success Only`` - - Recommended settings: ``Domain Controllers: Success and Failure`` + - Volume: Low + - Default settings: Client OS: No Auditing | Server OS: Success Only + - Recommended settings: Domain Controllers: Success and Failure - Other Account Management Events $m_other_account_management - - Volume: ``Low`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` + - Volume: Low + - Default settings: No Auditing + - Recommended settings: Success and Failure - Security Group Management $m_security_group_management - - Volume: ``Low`` - - Default settings: ``Success`` - - Recommended settings: ``Success and Failure`` + - Volume: Low + - Default settings: Success + - Recommended settings: Success and Failure - User Account Management $m_user_account_management - - Volume: ``Low`` - - Default settings: ``Success`` - - Recommended settings: ``Success and Failure`` + - Volume: Low + - Default settings: Success + - Recommended settings: Success and Failure Detailed Tracking - Plug and Play Events $m_plug_and_play_events - - Volume: ``Typcially low`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` + - Volume: Typcially low + - Default settings: No Auditing + - Recommended settings: Success and Failure - Process Creation $m_process_creation - - Volume: ``High`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` if sysmon is not configured. + - Volume: High + - Default settings: No Auditing + - Recommended settings: Success and Failure if sysmon is not configured. - Process Termination $m_process_termination - - Volume: ``High`` - - Default settings: ``No Auditing`` - - Recommended settings: ``No Auditing`` unless you want to track the lifespan of processes. + - Volume: High + - Default settings: No Auditing + - Recommended settings: No Auditing unless you want to track the lifespan of processes. - RPC (Remote Procedure Call) Events $m_rpc_events - - Volume: ``High on RPC servers`` (According to Microsoft) - - Default settings: ``No Auditing`` - - Recommended settings: ``Unknown. Needs testing.`` + - Volume: High on RPC servers (According to Microsoft) + - Default settings: No Auditing + - Recommended settings: Unknown. Needs testing. - Token Right Adjusted Events $m_token_right_adjusted_events - - Volume: ``Unknown`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Unknown. Needs testing.`` + - Volume: Unknown + - Default settings: No Auditing + - Recommended settings: Unknown. Needs testing. DS (Directory Service) Access - Directory Service Access $m_directory_service_access - - Volume: ``High`` - - Default settings: ``Client OS: No Auditing`` | ``Server OS: Success`` - - Recommended settings: ``Client OS: No Auditing`` | ``ADDS Server: Success and Failure`` + - Volume: High + - Default settings: Client OS: No Auditing | Server OS: Success + - Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure - Directory Service Changes - - Volume: ``High`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Client OS: No Auditing`` | ``ADDS Server: Success and Failure`` + - Volume: High + - Default settings: No Auditing + - Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure Logon/Logoff - Account Lockout $m_account_lockout - - Volume: ``Low`` - - Default settings: ``Success`` - - Recommended settings: ``Success and Failure`` + - Volume: Low + - Default settings: Success + - Recommended settings: Success and Failure - Group Membership - - Volume: Adds an extra ``4627`` event to every logon. - - Default settings: ``No Auditing`` - - Recommended settings: ``No Auditing`` + - Volume: Adds an extra 4627 event to every logon. + - Default settings: No Auditing + - Recommended settings: No Auditing - Logoff $m_logoff - - Volume: ``High`` - - Default settings: ``Success`` - - Recommended settings: ``Success`` + - Volume: High + - Default settings: Success + - Recommended settings: Success - Logon $m_logon - - Volume: ``Low on clients, medium on DCs or network servers`` - - Default settings: ``Client OS: Success`` | ``Server OS: Success and Failure`` - - Recommended settings: ``Success and Failure`` + - Volume: Low on clients, medium on DCs or network servers + - Default settings: Client OS: Success | Server OS: Success and Failure + - Recommended settings: Success and Failure - Other Logon/Logoff Events $m_other_logon_logoff_events - - Volume: ``Low`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` + - Volume: Low + - Default settings: No Auditing + - Recommended settings: Success and Failure - Special Logon $m_special_logon - - Volume: ``Low on clients. Medium on DC or network servers.`` - - Default settings: ``Success`` - - Recommended settings: ``Success and Failure`` + - Volume: Low on clients. Medium on DC or network servers. + - Default settings: Success + - Recommended settings: Success and Failure Object Access - Certification Services $m_certification_services - - Volume: ``Low to medium`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` for AD CS role servers. + - Volume: Low to medium + - Default settings: No Auditing + - Recommended settings: Success and Failure for AD CS role servers. - Detailed File Share $m_detailed_file_share - - Volume: ``Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement.`` - - Default settings: ``No Auditing`` - - Recommended settings: ``No Auditing`` due to the high noise level. Enable if you can though. + - Volume: Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement. + - Default settings: No Auditing + - Recommended settings: No Auditing due to the high noise level. Enable if you can though. - File Share $m_file_share - - Volume: ``High for file servers and DCs.`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` + - Volume: High for file servers and DCs. + - Default settings: No Auditing + - Recommended settings: Success and Failure - File System $m_file_system - - Volume: ``Depends on SACL rules`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Enable SACLs just for sensitive files`` + - Volume: Depends on SACL rules + - Default settings: No Auditing + - Recommended settings: Enable SACLs just for sensitive files - Filtering Platform Connection $m_filtering_platform_connection - - Volume: ``High`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. + - Volume: High + - Default settings: No Auditing + - Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. - Filtering Platform Packet Drop $m_filtering_platform_packet_drop - - Volume: ``High`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. + - Volume: High + - Default settings: No Auditing + - Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. - Kernel Object $m_kernel_object - - Volume: ``High if auditing access of global object access is enabled`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` but do not enable ``Audit the access of global system objects`` as you will generate too many ``4663: Object Access`` events. + - Volume: High if auditing access of global object access is enabled + - Default settings: No Auditing + - Recommended settings: Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events. - Handle Manipulation $m_handle_manipulation - - Volume: ``High`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` + - Volume: High + - Default settings: No Auditing + - Recommended settings: Success and Failure - Other Object Access Events $m_other_object_access_events - - Volume: ``Low`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` + - Volume: Low + - Default settings: No Auditing + - Recommended settings: Success and Failure - Registry $m_registry - - Volume: ``Depends on SACLs`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Set SACLs for only the registry keys that you want to monitor`` + - Volume: Depends on SACLs + - Default settings: No Auditing + - Recommended settings: Set SACLs for only the registry keys that you want to monitor - Removable Storage $m_removable_storage - - Volume: ``Depends on how much removable storage is used`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` if you want to monitor external device usage. + - Volume: Depends on how much removable storage is used + - Default settings: No Auditing + - Recommended settings: Success and Failure if you want to monitor external device usage. - SAM $m_sam - - Volume: ``High volume of events on Domain Controllers`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` if you can but may cause too high volume of noise so should be tested beforehand. + - Volume: High volume of events on Domain Controllers + - Default settings: No Auditing + - Recommended settings: Success and Failure if you can but may cause too high volume of noise so should be tested beforehand. Policy Change - Audit Policy Change $m_audit_policy_change - - Volume: ``Low`` - - Default settings: ``Success`` - - Recommended settings: ``Success and Failure`` + - Volume: Low + - Default settings: Success + - Recommended settings: Success and Failure - Authentication Policy Change $m_authentication_policy_change - - Volume: ``Low`` - - Default settings: ``Success`` - - Recommended settings: ``Success and Failure`` + - Volume: Low + - Default settings: Success + - Recommended settings: Success and Failure - Authorization Policy Change $m_authorization_policy_change - - Volume: ``Medium to High`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Unknown. Needs testing.`` + - Volume: Medium to High + - Default settings: No Auditing + - Recommended settings: Unknown. Needs testing. - Filtering Platform Policy Change $m_filtering_platform_policy_change - - Volume: ``Low`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Unknown, Needs testing.`` + - Volume: Low + - Default settings: No Auditing + - Recommended settings: Unknown, Needs testing. - MPSSVC Rule-Level Policy Change $m_mpssvc_rule_level_policy_change - - Volume: ``Low`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Unknown. Needs testing.`` + - Volume: Low + - Default settings: No Auditing + - Recommended settings: Unknown. Needs testing. - Other Policy Change Events $m_other_policy_change_events - - Volume: ``Low`` - - Default settings: ``No Auditing`` - - Recommended settings: ``No Auditing`` (Note: ACSC recommends ``Success and Failure``, however, this results in a lot of noise of ``5447 (A Windows Filtering Platform filter has been changed)`` events being generated.) + - Volume: Low + - Default settings: No Auditing + - Recommended settings: No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.) Privilege Use - Non Sensitive Use Events $m_non_sensitive_use_events - - Volume: ``Very high`` - - Default settings: ``No Auditing`` - - Recommended settings: ``No Auditing`` + - Volume: Very high + - Default settings: No Auditing + - Recommended settings: No Auditing - Sensitive Privilege Use $m_sensitive_privilege_use - - Volume: ``High`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` However, this may be too noisy. + - Volume: High + - Default settings: No Auditing + - Recommended settings: Success and Failure However, this may be too noisy. System - Other System Events $m_other_system_events - - Volume: ``Low`` - - Default settings: ``Success and Failure`` - - Recommended settings: ``Unknown. Needs testing.`` + - Volume: Low + - Default settings: Success and Failure + - Recommended settings: Unknown. Needs testing. - Security State Change $m_security_state_change - - Volume: ``Low`` - - Default settings: ``Success`` - - Recommended settings: ``Success and Failure`` + - Volume: Low + - Default settings: Success + - Recommended settings: Success and Failure - Security System Extension $m_security_system_extension - - Volume: ``Low, but more on DCs`` - - Default settings: ``No Auditing`` - - Recommended settings: ``Success and Failure`` + - Volume: Low, but more on DCs + - Default settings: No Auditing + - Recommended settings: Success and Failure - System Integrity $m_system_integrity - - Volume: ``Low`` - - Default settings: ``Sucess, Failure`` - - Recommended settings: ``Success and Failure`` + - Volume: Low + - Default settings: Sucess, Failure + - Recommended settings: Success and Failure "@ Write-Host $msg } From c41247f2114129610b0531789cdff3b034f0fe84 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 31 Mar 2025 08:58:30 +0900 Subject: [PATCH 04/70] feat: verbose security --- WELAAuditMsg.psm1 | 1 + 1 file changed, 1 insertion(+) diff --git a/WELAAuditMsg.psm1 b/WELAAuditMsg.psm1 index 428df889..be9d9d76 100644 --- a/WELAAuditMsg.psm1 +++ b/WELAAuditMsg.psm1 @@ -1,5 +1,6 @@ function ShowVerboseSecurity { $msg = @" +Detailed Security category settings: Account Logon - Credential Validation $m_credential_validation - Volume: Depends on NTLM usage. Could be high on DCs and low on clients and servers. From fac48e017c84dcd48e50cbd662fd872f003f44ea Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 31 Mar 2025 09:01:18 +0900 Subject: [PATCH 05/70] feat: verbose security --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 2f35192c..eb8e3604 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -68,10 +68,10 @@ $totalUsablePwsClaRate = CalculateTotalUsableRate -usableRate $usablePwsClaRate $totalUsablePwsModRate = CalculateTotalUsableRate -usableRate $usablePwsModRate $totalUsablePwsScrRate = CalculateTotalUsableRate -usableRate $usablePwsScrRate -ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)" ShowRulesCountsByLevel -usableRate $usablePwsClaRate -msg "PowerShell classic logging detection rules: " -colorMsg "$totalUsablePwsClaRate (Enabled)" ShowRulesCountsByLevel -usableRate $usablePwsModRate -msg "PowerShell module logging detection rules: " -colorMsg "$totalUsablePwsModRate ($pwsModStatus)" ShowRulesCountsByLevel -usableRate $usablePwsScrRate -msg "PowerShell script block logging detection rules: " -colorMsg "$totalUsablePwsScrRate ($pwsSrcStatus)" +ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)" ShowVerboseSecurity Write-Output "Usable detection rules list saved to: UsableRules.csv" From 0fc0b501d1c80f744e5cd76701f027035cdc3c39 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 31 Mar 2025 09:02:26 +0900 Subject: [PATCH 06/70] feat: verbose security --- WELA.ps1 | 2 +- WELAAuditMsg.psm1 => WELAVerboseSecMsg.psm1 | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename WELAAuditMsg.psm1 => WELAVerboseSecMsg.psm1 (100%) diff --git a/WELA.ps1 b/WELA.ps1 index eb8e3604..36be4a93 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1,5 +1,5 @@ Import-Module -Name ./WELAFunctions.psm1 -Import-Module -Name ./WELAAuditMsg.psm1 +Import-Module -Name ./WELAVerboseSecMsg.psm1 $logo = @" ┏┓┏┓┏┳━━━┳┓ ┏━━━┓ ┃┃┃┃┃┃┏━━┫┃ ┃┏━┓┃ diff --git a/WELAAuditMsg.psm1 b/WELAVerboseSecMsg.psm1 similarity index 100% rename from WELAAuditMsg.psm1 rename to WELAVerboseSecMsg.psm1 From 8d86a8f9f6afb4143ea1bd363ee7607a23c0d97a Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 31 Mar 2025 09:06:55 +0900 Subject: [PATCH 07/70] feat: verbose security --- WELAVerboseSecMsg.psm1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/WELAVerboseSecMsg.psm1 b/WELAVerboseSecMsg.psm1 index be9d9d76..129094f0 100644 --- a/WELAVerboseSecMsg.psm1 +++ b/WELAVerboseSecMsg.psm1 @@ -187,6 +187,8 @@ System - Default settings: Sucess, Failure - Recommended settings: Success and Failure "@ - Write-Host $msg + # 変数部分を色付きで出力 + $coloredMsg = $msg -replace '\$(\w+)', { param($match) "`e[31m$match`e[0m" } + Write-Host $coloredMsg } From 15b091d3cff7a41c760c898fcf8643cd5e0e0c32 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 31 Mar 2025 09:14:53 +0900 Subject: [PATCH 08/70] feat: verbose security --- WELAVerboseSecMsg.psm1 | 43 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/WELAVerboseSecMsg.psm1 b/WELAVerboseSecMsg.psm1 index 129094f0..3148f48e 100644 --- a/WELAVerboseSecMsg.psm1 +++ b/WELAVerboseSecMsg.psm1 @@ -1,4 +1,47 @@ function ShowVerboseSecurity { + $m_credential_validation = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_kerberos_authentication_service = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_kerberos_sevice_ticket_operations = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_computer_account_management = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_other_account_management = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_security_group_management = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_user_account_management = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_plug_and_play_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_process_creation = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_process_termination = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_rpc_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_token_right_adjusted_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_directory_service_access = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_account_lockout = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_logoff = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_logon = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_other_logon_logoff_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_special_logon = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_certification_services = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_detailed_file_share = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_file_share = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_file_system = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_filtering_platform_connection = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_filtering_platform_packet_drop = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_kernel_object = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_handle_manipulation = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_other_object_access_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_registry = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_removable_storage = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_sam = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_audit_policy_change = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_authentication_policy_change = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_authorization_policy_change = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_filtering_platform_policy_change = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_mpssvc_rule_level_policy_change = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_other_policy_change_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_non_sensitive_use_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_sensitive_privilege_use = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_other_system_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_security_state_change = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_security_system_extension = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_system_integrity = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $msg = @" Detailed Security category settings: Account Logon From 7b5fb59e20dfed9d036c64c97756c173a2d5eadd Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 31 Mar 2025 09:18:27 +0900 Subject: [PATCH 09/70] feat: verbose security --- WELAVerboseSecMsg.psm1 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/WELAVerboseSecMsg.psm1 b/WELAVerboseSecMsg.psm1 index 3148f48e..c004d5ea 100644 --- a/WELAVerboseSecMsg.psm1 +++ b/WELAVerboseSecMsg.psm1 @@ -233,5 +233,4 @@ System # 変数部分を色付きで出力 $coloredMsg = $msg -replace '\$(\w+)', { param($match) "`e[31m$match`e[0m" } Write-Host $coloredMsg -} - +} \ No newline at end of file From cce398eff7524947b05cf922569ba05333f7b7a4 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 31 Mar 2025 09:20:29 +0900 Subject: [PATCH 10/70] feat: verbose security --- WELAVerboseSecMsg.psm1 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/WELAVerboseSecMsg.psm1 b/WELAVerboseSecMsg.psm1 index c004d5ea..afcf0f9e 100644 --- a/WELAVerboseSecMsg.psm1 +++ b/WELAVerboseSecMsg.psm1 @@ -230,6 +230,10 @@ System - Default settings: Sucess, Failure - Recommended settings: Success and Failure "@ + + # 変数展開を有効にする + $expandedMsg = $ExecutionContext.InvokeCommand.ExpandString($msg) + # 変数部分を色付きで出力 $coloredMsg = $msg -replace '\$(\w+)', { param($match) "`e[31m$match`e[0m" } Write-Host $coloredMsg From 707d512fd0cfb3ed87996ec94df453a7902890e4 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 31 Mar 2025 09:20:45 +0900 Subject: [PATCH 11/70] feat: verbose security --- WELAVerboseSecMsg.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecMsg.psm1 b/WELAVerboseSecMsg.psm1 index afcf0f9e..0b3a1dc7 100644 --- a/WELAVerboseSecMsg.psm1 +++ b/WELAVerboseSecMsg.psm1 @@ -235,6 +235,6 @@ System $expandedMsg = $ExecutionContext.InvokeCommand.ExpandString($msg) # 変数部分を色付きで出力 - $coloredMsg = $msg -replace '\$(\w+)', { param($match) "`e[31m$match`e[0m" } + $coloredMsg = $expandedMsg -replace '\$(\w+)', { param($match) "`e[31m$match`e[0m" } Write-Host $coloredMsg } \ No newline at end of file From 0e773f82fdcbb489fda16e8e34fd4305409fcf45 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 31 Mar 2025 09:21:22 +0900 Subject: [PATCH 12/70] feat: verbose security --- WELAVerboseSecMsg.psm1 | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/WELAVerboseSecMsg.psm1 b/WELAVerboseSecMsg.psm1 index 0b3a1dc7..a887e884 100644 --- a/WELAVerboseSecMsg.psm1 +++ b/WELAVerboseSecMsg.psm1 @@ -231,10 +231,7 @@ System - Recommended settings: Success and Failure "@ - # 変数展開を有効にする - $expandedMsg = $ExecutionContext.InvokeCommand.ExpandString($msg) - # 変数部分を色付きで出力 - $coloredMsg = $expandedMsg -replace '\$(\w+)', { param($match) "`e[31m$match`e[0m" } + $coloredMsg = $msg -replace '\$(\w+)', { param($match) "`e[31m$match`e[0m" } Write-Host $coloredMsg } \ No newline at end of file From cb56cfce49511ab7fd7a44db353117f1de2c0729 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 31 Mar 2025 09:22:59 +0900 Subject: [PATCH 13/70] feat: verbose security --- WELAVerboseSecMsg.psm1 | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/WELAVerboseSecMsg.psm1 b/WELAVerboseSecMsg.psm1 index a887e884..26fff1f6 100644 --- a/WELAVerboseSecMsg.psm1 +++ b/WELAVerboseSecMsg.psm1 @@ -231,7 +231,5 @@ System - Recommended settings: Success and Failure "@ - # 変数部分を色付きで出力 - $coloredMsg = $msg -replace '\$(\w+)', { param($match) "`e[31m$match`e[0m" } - Write-Host $coloredMsg + Write-Host $msg } \ No newline at end of file From 1206f0313b23b85f882b7bc62245b663c6d2ec22 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 08:43:37 +0900 Subject: [PATCH 14/70] feat: verbose security --- WELAVerboseSecMsg.psm1 | 1 + 1 file changed, 1 insertion(+) diff --git a/WELAVerboseSecMsg.psm1 b/WELAVerboseSecMsg.psm1 index 26fff1f6..bd93636a 100644 --- a/WELAVerboseSecMsg.psm1 +++ b/WELAVerboseSecMsg.psm1 @@ -232,4 +232,5 @@ System "@ Write-Host $msg + Write-Host "" } \ No newline at end of file From 21db0753b19f8b0633ef0f2cef9157102ae47db7 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 08:45:38 +0900 Subject: [PATCH 15/70] feat: verbose security --- WELA.ps1 | 2 +- WELAVerboseSecMsg.psm1 => WELAVerboseSecAudit.psm1 | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename WELAVerboseSecMsg.psm1 => WELAVerboseSecAudit.psm1 (100%) diff --git a/WELA.ps1 b/WELA.ps1 index 36be4a93..3b14aafe 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1,5 +1,5 @@ Import-Module -Name ./WELAFunctions.psm1 -Import-Module -Name ./WELAVerboseSecMsg.psm1 +Import-Module -Name ./WELAVerboseSecAudit.psm1 $logo = @" ┏┓┏┓┏┳━━━┳┓ ┏━━━┓ ┃┃┃┃┃┃┏━━┫┃ ┃┏━┓┃ diff --git a/WELAVerboseSecMsg.psm1 b/WELAVerboseSecAudit.psm1 similarity index 100% rename from WELAVerboseSecMsg.psm1 rename to WELAVerboseSecAudit.psm1 From 60610bb8a94162e64a8fa4898f7dc395ca74d915 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 08:53:03 +0900 Subject: [PATCH 16/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 84 ++++++++++++++++++++-------------------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index bd93636a..32689f88 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -1,46 +1,46 @@ function ShowVerboseSecurity { - $m_credential_validation = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_kerberos_authentication_service = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_kerberos_sevice_ticket_operations = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_computer_account_management = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_other_account_management = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_security_group_management = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_user_account_management = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_plug_and_play_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_process_creation = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_process_termination = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_rpc_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_token_right_adjusted_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_directory_service_access = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_account_lockout = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_logoff = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_logon = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_other_logon_logoff_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_special_logon = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_certification_services = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_detailed_file_share = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_file_share = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_file_system = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_filtering_platform_connection = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_filtering_platform_packet_drop = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_kernel_object = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_handle_manipulation = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_other_object_access_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_registry = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_removable_storage = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_sam = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_audit_policy_change = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_authentication_policy_change = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_authorization_policy_change = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_filtering_platform_policy_change = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_mpssvc_rule_level_policy_change = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_other_policy_change_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_non_sensitive_use_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_sensitive_privilege_use = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_other_system_events = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_security_state_change = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_security_system_extension = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" - $m_system_integrity = "disabled (critical: 10 ¦ high: 100 ¦ medium ¦ low: 10, info: 1000)" + $m_credential_validation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_kerberos_authentication_service = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_kerberos_sevice_ticket_operations = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_computer_account_management = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_other_account_management = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_security_group_management = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_user_account_management = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_plug_and_play_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_process_creation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_process_termination = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_rpc_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_token_right_adjusted_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_directory_service_access = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_account_lockout = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_logoff = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_logon = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_other_logon_logoff_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_special_logon = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_certification_services = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_detailed_file_share = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_file_share = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_file_system = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_filtering_platform_connection = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_filtering_platform_packet_drop = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_kernel_object = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_handle_manipulation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_other_object_access_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_registry = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_removable_storage = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_sam = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_audit_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_authentication_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_authorization_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_filtering_platform_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_mpssvc_rule_level_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_other_policy_change_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_non_sensitive_use_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_sensitive_privilege_use = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_other_system_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_security_state_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_security_system_extension = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_system_integrity = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" $msg = @" Detailed Security category settings: From f89db1d68a7a59f333dc97019cd9f1088ab336f9 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 08:56:35 +0900 Subject: [PATCH 17/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 32689f88..a15488a3 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -231,6 +231,21 @@ System - Recommended settings: Success and Failure "@ - Write-Host $msg + $msgLines = $msg -split "`n" + foreach ($line in $msgLines) { + if ($line -match "\$(\w+)") { + $parts = $line -split "(\$\w+)" + foreach ($part in $parts) { + if ($part -match "\$(\w+)") { + Write-Host -NoNewline $part -ForegroundColor Red + } else { + Write-Host -NoNewline $part + } + } + Write-Host "" + } else { + Write-Host $line + } + } Write-Host "" } \ No newline at end of file From fa1a9c2eddd6331b2a6938343169034577cd9a62 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 08:59:19 +0900 Subject: [PATCH 18/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index a15488a3..c1fa148f 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -233,10 +233,10 @@ System $msgLines = $msg -split "`n" foreach ($line in $msgLines) { - if ($line -match "\$(\w+)") { - $parts = $line -split "(\$\w+)" + if ($line -match '\$(\w+)') { + $parts = $line -split '(\$\w+)' foreach ($part in $parts) { - if ($part -match "\$(\w+)") { + if ($part -match '\$(\w+)') { Write-Host -NoNewline $part -ForegroundColor Red } else { Write-Host -NoNewline $part From 6947348aebb2d1dd146c4be0a805fb5488180f8d Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 09:03:14 +0900 Subject: [PATCH 19/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index c1fa148f..0248df00 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -233,16 +233,8 @@ System $msgLines = $msg -split "`n" foreach ($line in $msgLines) { - if ($line -match '\$(\w+)') { - $parts = $line -split '(\$\w+)' - foreach ($part in $parts) { - if ($part -match '\$(\w+)') { - Write-Host -NoNewline $part -ForegroundColor Red - } else { - Write-Host -NoNewline $part - } - } - Write-Host "" + if ($line -match '^\s*disabled.*\)$') { + Write-Host -NoNewline $line -ForegroundColor Red } else { Write-Host $line } From c1b0ad5a65c0cfbf232d2acd3fad26ad7aae0495 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 09:06:02 +0900 Subject: [PATCH 20/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 0248df00..5aa1ebfa 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -233,7 +233,7 @@ System $msgLines = $msg -split "`n" foreach ($line in $msgLines) { - if ($line -match '^\s*disabled.*\)$') { + if ($line -contains 'disabled') { Write-Host -NoNewline $line -ForegroundColor Red } else { Write-Host $line From d54789e6771c3de9b24625c8598f5dc435502feb Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 09:06:55 +0900 Subject: [PATCH 21/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 5aa1ebfa..e4e44df0 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -234,7 +234,8 @@ System $msgLines = $msg -split "`n" foreach ($line in $msgLines) { if ($line -contains 'disabled') { - Write-Host -NoNewline $line -ForegroundColor Red + Write-Host $line -ForegroundColor Red + Write-Host "****" } else { Write-Host $line } From f6380fe71049856063b1fa1587213e8cb738d748 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 09:07:42 +0900 Subject: [PATCH 22/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index e4e44df0..26a5afe5 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -235,8 +235,8 @@ System foreach ($line in $msgLines) { if ($line -contains 'disabled') { Write-Host $line -ForegroundColor Red - Write-Host "****" } else { + Write-Host "****" Write-Host $line } } From a243eb716e6077cbbf10468ad034ecb1fde3c960 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 09:08:14 +0900 Subject: [PATCH 23/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 26a5afe5..424cdb63 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -233,10 +233,9 @@ System $msgLines = $msg -split "`n" foreach ($line in $msgLines) { - if ($line -contains 'disabled') { + if ($line -match '.*disabled.*') { Write-Host $line -ForegroundColor Red } else { - Write-Host "****" Write-Host $line } } From 8ab3438016b8d8e138d239fea937a6522ec0ad0d Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 09:09:56 +0900 Subject: [PATCH 24/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 424cdb63..144dd3fb 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -234,7 +234,14 @@ System $msgLines = $msg -split "`n" foreach ($line in $msgLines) { if ($line -match '.*disabled.*') { - Write-Host $line -ForegroundColor Red + $parts = $line -split '(disabled.*\))' + foreach ($part in $parts) { + if ($part -match '.*disabled.*$') { + Write-Host -NoNewline $part -ForegroundColor Red + } else { + Write-Host -NoNewline $part + } + } } else { Write-Host $line } From 7d713c068b2970fb4780833f64cc40cb829492db Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 09:10:11 +0900 Subject: [PATCH 25/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 1 + 1 file changed, 1 insertion(+) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 144dd3fb..487a9506 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -242,6 +242,7 @@ System Write-Host -NoNewline $part } } + Write-Host "" } else { Write-Host $line } From 8f1dacebbcd5eb29aced15cbadf276b8c3aca69e Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 09:12:05 +0900 Subject: [PATCH 26/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 487a9506..5cc962b3 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -234,15 +234,16 @@ System $msgLines = $msg -split "`n" foreach ($line in $msgLines) { if ($line -match '.*disabled.*') { - $parts = $line -split '(disabled.*\))' - foreach ($part in $parts) { - if ($part -match '.*disabled.*$') { - Write-Host -NoNewline $part -ForegroundColor Red - } else { - Write-Host -NoNewline $part - } - } - Write-Host "" + Write-Host $line -ForegroundColor Red +# $parts = $line -split '(disabled.*\))' +# foreach ($part in $parts) { +# if ($part -match '.*disabled.*$') { +# Write-Host -NoNewline $part -ForegroundColor Red +# } else { +# Write-Host -NoNewline $part +# } +# } +# Write-Host "" } else { Write-Host $line } From c21700572e262163831125c7bcbc9b1851a61563 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 09:13:40 +0900 Subject: [PATCH 27/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 5cc962b3..da45ff3a 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -244,6 +244,8 @@ System # } # } # Write-Host "" + } elseif ($line -match '.*enabled.*') { + Write-Host $line -ForegroundColor Green } else { Write-Host $line } From 4f9fab2523e8471a7405f01a114cfb05a2dff1b8 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 10:22:04 +0900 Subject: [PATCH 28/70] feat: verbose security --- WELA.ps1 | 2 +- WELAVerboseSecAudit.psm1 | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 3b14aafe..38b2544a 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -72,7 +72,7 @@ ShowRulesCountsByLevel -usableRate $usablePwsClaRate -msg "PowerShell classic lo ShowRulesCountsByLevel -usableRate $usablePwsModRate -msg "PowerShell module logging detection rules: " -colorMsg "$totalUsablePwsModRate ($pwsModStatus)" ShowRulesCountsByLevel -usableRate $usablePwsScrRate -msg "PowerShell script block logging detection rules: " -colorMsg "$totalUsablePwsScrRate ($pwsSrcStatus)" ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)" -ShowVerboseSecurity +ShowVerboseSecurity -rules $rules Write-Output "Usable detection rules list saved to: UsableRules.csv" Write-Output "Unusable detection rules list saved to: UnusableRules.csv" diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index da45ff3a..aea770af 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -1,4 +1,40 @@ +function Get-RuleCounts { + param ( + [string]$guid, + [array]$rules + ) + + $filteredRules = $rules | Where-Object { $_.subcategory_guids -contains $guid } + if ($filteredRules.Count -eq 0) { + return "no rules" + } + + $groupedRules = $filteredRules | Group-Object -Property level + + $levels = @("critical", "high", "medium", "low", "informational") + $counts = @{} + foreach ($level in $levels) { + $counts[$level] = 0 + } + + foreach ($group in $groupedRules) { + $counts[$group.Name] = $group.Count + } + + $status = if ($filteredRules[0].applicable) { "enabled" } else { "disabled" } + + $result = "$status (" + $result += $levels | ForEach-Object { "$_: $($counts[$_])" } -join " | " + $result += ")" + + return $result +} + function ShowVerboseSecurity { + param ( + [array]$rules + ) + Get-RuleCounts -guid "0CCE9226-69AE-11D9-BED3-505054503030" -rules $rules $m_credential_validation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" $m_kerberos_authentication_service = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" $m_kerberos_sevice_ticket_operations = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" From 055e69459f9a224315fd5ed75568198b62179230 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 10:23:16 +0900 Subject: [PATCH 29/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index aea770af..41d313e2 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -24,7 +24,7 @@ function Get-RuleCounts { $status = if ($filteredRules[0].applicable) { "enabled" } else { "disabled" } $result = "$status (" - $result += $levels | ForEach-Object { "$_: $($counts[$_])" } -join " | " + #$result += $levels | ForEach-Object { "$_: ${$counts[$_])" } -join " | " $result += ")" return $result From d001c8d16fb8deb553dea7bb40f9fd9217249057 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 10:26:24 +0900 Subject: [PATCH 30/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 41d313e2..ddf6e5f8 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -5,7 +5,7 @@ function Get-RuleCounts { ) $filteredRules = $rules | Where-Object { $_.subcategory_guids -contains $guid } - if ($filteredRules.Count -eq 0) { + if (($filteredRules | Measure-Object).Count -eq 0) { return "no rules" } From fbe4ef4aec5c3e4d633da9197ee64dc0ac72543e Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 10:27:15 +0900 Subject: [PATCH 31/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 3 --- 1 file changed, 3 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index ddf6e5f8..7c055b7a 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -5,9 +5,6 @@ function Get-RuleCounts { ) $filteredRules = $rules | Where-Object { $_.subcategory_guids -contains $guid } - if (($filteredRules | Measure-Object).Count -eq 0) { - return "no rules" - } $groupedRules = $filteredRules | Group-Object -Property level From 9dc326d03c9c803549251511a7adf26bc2b0a67e Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 10:27:58 +0900 Subject: [PATCH 32/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 1 - 1 file changed, 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 7c055b7a..24fc6de0 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -31,7 +31,6 @@ function ShowVerboseSecurity { param ( [array]$rules ) - Get-RuleCounts -guid "0CCE9226-69AE-11D9-BED3-505054503030" -rules $rules $m_credential_validation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" $m_kerberos_authentication_service = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" $m_kerberos_sevice_ticket_operations = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" From b792f7c22ee6e828e18b69cfac0029cff3b99896 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 10:29:07 +0900 Subject: [PATCH 33/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 24fc6de0..f6fa179f 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -1,32 +1,3 @@ -function Get-RuleCounts { - param ( - [string]$guid, - [array]$rules - ) - - $filteredRules = $rules | Where-Object { $_.subcategory_guids -contains $guid } - - $groupedRules = $filteredRules | Group-Object -Property level - - $levels = @("critical", "high", "medium", "low", "informational") - $counts = @{} - foreach ($level in $levels) { - $counts[$level] = 0 - } - - foreach ($group in $groupedRules) { - $counts[$group.Name] = $group.Count - } - - $status = if ($filteredRules[0].applicable) { "enabled" } else { "disabled" } - - $result = "$status (" - #$result += $levels | ForEach-Object { "$_: ${$counts[$_])" } -join " | " - $result += ")" - - return $result -} - function ShowVerboseSecurity { param ( [array]$rules From 411fcb81596fd0b9bd34166034a9f7d4dd0e0c78 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 10:30:44 +0900 Subject: [PATCH 34/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index f6fa179f..fafed3b5 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -237,7 +237,7 @@ System $msgLines = $msg -split "`n" foreach ($line in $msgLines) { if ($line -match '.*disabled.*') { - Write-Host $line -ForegroundColor Red + Write-Host $line -ForegroundColor Red -NoNewline # $parts = $line -split '(disabled.*\))' # foreach ($part in $parts) { # if ($part -match '.*disabled.*$') { @@ -248,9 +248,9 @@ System # } # Write-Host "" } elseif ($line -match '.*enabled.*') { - Write-Host $line -ForegroundColor Green + Write-Host $line -ForegroundColor Green -NoNewline } else { - Write-Host $line + Write-Host $line -NoNewline } } Write-Host "" From e8204c29cc5f06b3cd970dfe77e84fa7de78a0e5 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 12:22:34 +0900 Subject: [PATCH 35/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index fafed3b5..f6fa179f 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -237,7 +237,7 @@ System $msgLines = $msg -split "`n" foreach ($line in $msgLines) { if ($line -match '.*disabled.*') { - Write-Host $line -ForegroundColor Red -NoNewline + Write-Host $line -ForegroundColor Red # $parts = $line -split '(disabled.*\))' # foreach ($part in $parts) { # if ($part -match '.*disabled.*$') { @@ -248,9 +248,9 @@ System # } # Write-Host "" } elseif ($line -match '.*enabled.*') { - Write-Host $line -ForegroundColor Green -NoNewline + Write-Host $line -ForegroundColor Green } else { - Write-Host $line -NoNewline + Write-Host $line } } Write-Host "" From 162f295d9bba39b533971be3744916e63bfe4287 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 12:24:10 +0900 Subject: [PATCH 36/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index f6fa179f..fcb70db9 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -236,18 +236,18 @@ System $msgLines = $msg -split "`n" foreach ($line in $msgLines) { - if ($line -match '.*disabled.*') { + if ($line -match '.*disabled.*\(') { Write-Host $line -ForegroundColor Red -# $parts = $line -split '(disabled.*\))' -# foreach ($part in $parts) { -# if ($part -match '.*disabled.*$') { -# Write-Host -NoNewline $part -ForegroundColor Red -# } else { -# Write-Host -NoNewline $part -# } -# } -# Write-Host "" - } elseif ($line -match '.*enabled.*') { + $parts = $line -split '(disabled.*\))' + foreach ($part in $parts) { + if ($part -match '.*disabled.*$') { + Write-Host -NoNewline $part -ForegroundColor Red + } else { + Write-Host -NoNewline $part + } + } + Write-Host "" + } elseif ($line -match '.*enabled.*\(') { Write-Host $line -ForegroundColor Green } else { Write-Host $line From 20c78d55a6a5eb70c3908bde98d23f909911a68a Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 12:24:42 +0900 Subject: [PATCH 37/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 1 - 1 file changed, 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index fcb70db9..0aa196db 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -237,7 +237,6 @@ System $msgLines = $msg -split "`n" foreach ($line in $msgLines) { if ($line -match '.*disabled.*\(') { - Write-Host $line -ForegroundColor Red $parts = $line -split '(disabled.*\))' foreach ($part in $parts) { if ($part -match '.*disabled.*$') { From 1a5e3ff1eee6683c0f6da34738bb5954aaab0bb5 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 13:07:58 +0900 Subject: [PATCH 38/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 0aa196db..4e58230c 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -1,7 +1,35 @@ +function CountRules { + param ( + [string]$guid, + [array]$rules + ) + $filterd_rules = $rules | Where-Object { $_.subcategory_guids -contains $guid } + + $counts = @{ + critical = 0 + high = 0 + medium = 0 + low = 0 + informational = 0 + } + + # ルールをループしてlevel毎にカウント + foreach ($rule in $filterd_rules) { + if ($counts.ContainsKey($rule.level)) { + $counts[$rule.level]++ + } + } + + $result = "(critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))" + return $result +} + function ShowVerboseSecurity { param ( [array]$rules ) + CountRules -guid "0CCE9226-69AE-11D9-BED3-505054503030" -rules $rules + $m_credential_validation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" $m_kerberos_authentication_service = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" $m_kerberos_sevice_ticket_operations = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" From f6ac3c9ee28085c1d787c8479feb0a249e1cf3bc Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 13:09:34 +0900 Subject: [PATCH 39/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 4e58230c..2eec03cb 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -13,7 +13,6 @@ function CountRules { informational = 0 } - # ルールをループしてlevel毎にカウント foreach ($rule in $filterd_rules) { if ($counts.ContainsKey($rule.level)) { $counts[$rule.level]++ @@ -28,7 +27,6 @@ function ShowVerboseSecurity { param ( [array]$rules ) - CountRules -guid "0CCE9226-69AE-11D9-BED3-505054503030" -rules $rules $m_credential_validation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" $m_kerberos_authentication_service = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" @@ -52,7 +50,7 @@ function ShowVerboseSecurity { $m_detailed_file_share = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" $m_file_share = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" $m_file_system = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_filtering_platform_connection = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_filtering_platform_connection = CountRules -guid "0CCE9226-69AE-11D9-BED3-505054503030" -rules $rules $m_filtering_platform_packet_drop = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" $m_kernel_object = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" $m_handle_manipulation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" From 15e7b8ea48a75f3b6ecba3e2695fdb76e5fa1c6e Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 13:12:08 +0900 Subject: [PATCH 40/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 84 ++++++++++++++++++++-------------------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 2eec03cb..8f85fc84 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -19,7 +19,7 @@ function CountRules { } } - $result = "(critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))" + $result = "disabled (critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))" return $result } @@ -28,48 +28,48 @@ function ShowVerboseSecurity { [array]$rules ) - $m_credential_validation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_kerberos_authentication_service = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_kerberos_sevice_ticket_operations = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_computer_account_management = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_other_account_management = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_security_group_management = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_user_account_management = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_plug_and_play_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_process_creation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_process_termination = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_rpc_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_token_right_adjusted_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_directory_service_access = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_account_lockout = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_logoff = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_logon = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_other_logon_logoff_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_special_logon = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_certification_services = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_detailed_file_share = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_file_share = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_file_system = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_credential_validation = CountRules -guid "" -rules $rules + $m_kerberos_authentication_service = CountRules -guid "" -rules $rules + $m_kerberos_sevice_ticket_operations = CountRules -guid "" -rules $rules + $m_computer_account_management = CountRules -guid "" -rules $rules + $m_other_account_management = CountRules -guid "" -rules $rules + $m_security_group_management = CountRules -guid "" -rules $rules + $m_user_account_management = CountRules -guid "" -rules $rules + $m_plug_and_play_events = CountRules -guid "" -rules $rules + $m_process_creation = CountRules -guid "" -rules $rules + $m_process_termination = CountRules -guid "" -rules $rules + $m_rpc_events = CountRules -guid "" -rules $rules + $m_token_right_adjusted_events = CountRules -guid "" -rules $rules + $m_directory_service_access = CountRules -guid "" -rules $rules + $m_account_lockout = CountRules -guid "" -rules $rules + $m_logoff = CountRules -guid "" -rules $rules + $m_logon = CountRules -guid "" -rules $rules + $m_other_logon_logoff_events = CountRules -guid "" -rules $rules + $m_special_logon = CountRules -guid "" -rules $rules + $m_certification_services = CountRules -guid "" -rules $rules + $m_detailed_file_share = CountRules -guid "" -rules $rules + $m_file_share = CountRules -guid "" -rules $rules + $m_file_system = CountRules -guid "" -rules $rules $m_filtering_platform_connection = CountRules -guid "0CCE9226-69AE-11D9-BED3-505054503030" -rules $rules - $m_filtering_platform_packet_drop = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_kernel_object = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_handle_manipulation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_other_object_access_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_registry = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_removable_storage = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_sam = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_audit_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_authentication_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_authorization_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_filtering_platform_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_mpssvc_rule_level_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_other_policy_change_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_non_sensitive_use_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_sensitive_privilege_use = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_other_system_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_security_state_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_security_system_extension = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" - $m_system_integrity = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)" + $m_filtering_platform_packet_drop = CountRules -guid "" -rules $rules + $m_kernel_object = CountRules -guid "" -rules $rules + $m_handle_manipulation = CountRules -guid "" -rules $rules + $m_other_object_access_events = CountRules -guid "" -rules $rules + $m_registry = CountRules -guid "" -rules $rules + $m_removable_storage = CountRules -guid "" -rules $rules + $m_sam = CountRules -guid "" -rules $rules + $m_audit_policy_change = CountRules -guid "" -rules $rules + $m_authentication_policy_change = CountRules -guid "" -rules $rules + $m_authorization_policy_change = CountRules -guid "" -rules $rules + $m_filtering_platform_policy_change = CountRules -guid "" -rules $rules + $m_mpssvc_rule_level_policy_change = CountRules -guid "" -rules $rules + $m_other_policy_change_events = CountRules -guid "" -rules $rules + $m_non_sensitive_use_events = CountRules -guid "" -rules $rules + $m_sensitive_privilege_use = CountRules -guid "" -rules $rules + $m_other_system_events = CountRules -guid "" -rules $rules + $m_security_state_change = CountRules -guid "0CCE9210-69AE-11D9-BED3-505054503030" -rules $rules + $m_security_system_extension = CountRules -guid "" -rules $rules + $m_system_integrity = CountRules -guid "" -rules $rules $msg = @" Detailed Security category settings: From a3f5780d754d94ea82ee2ec45e3522fe629d9b62 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 13:13:31 +0900 Subject: [PATCH 41/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 1 - 1 file changed, 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 8f85fc84..69f1ecc5 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -271,7 +271,6 @@ System Write-Host -NoNewline $part } } - Write-Host "" } elseif ($line -match '.*enabled.*\(') { Write-Host $line -ForegroundColor Green } else { From a8ae5d77b0bd2bff986c8a70e7c2a0b2d8f88b14 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 13:14:36 +0900 Subject: [PATCH 42/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 69f1ecc5..beddc065 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -272,9 +272,9 @@ System } } } elseif ($line -match '.*enabled.*\(') { - Write-Host $line -ForegroundColor Green + Write-Host $line -ForegroundColor Green -NoNewline } else { - Write-Host $line + Write-Host $line -NoNewline } } Write-Host "" From 41514c078fc6bd24f287f7498aa9ef3ac83cd65a Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 13:30:03 +0900 Subject: [PATCH 43/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 80 ++++++++++++++++++++-------------------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index beddc065..fbe98a48 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -28,48 +28,48 @@ function ShowVerboseSecurity { [array]$rules ) - $m_credential_validation = CountRules -guid "" -rules $rules - $m_kerberos_authentication_service = CountRules -guid "" -rules $rules - $m_kerberos_sevice_ticket_operations = CountRules -guid "" -rules $rules - $m_computer_account_management = CountRules -guid "" -rules $rules - $m_other_account_management = CountRules -guid "" -rules $rules - $m_security_group_management = CountRules -guid "" -rules $rules - $m_user_account_management = CountRules -guid "" -rules $rules - $m_plug_and_play_events = CountRules -guid "" -rules $rules - $m_process_creation = CountRules -guid "" -rules $rules - $m_process_termination = CountRules -guid "" -rules $rules - $m_rpc_events = CountRules -guid "" -rules $rules - $m_token_right_adjusted_events = CountRules -guid "" -rules $rules - $m_directory_service_access = CountRules -guid "" -rules $rules - $m_account_lockout = CountRules -guid "" -rules $rules - $m_logoff = CountRules -guid "" -rules $rules - $m_logon = CountRules -guid "" -rules $rules - $m_other_logon_logoff_events = CountRules -guid "" -rules $rules - $m_special_logon = CountRules -guid "" -rules $rules - $m_certification_services = CountRules -guid "" -rules $rules - $m_detailed_file_share = CountRules -guid "" -rules $rules - $m_file_share = CountRules -guid "" -rules $rules - $m_file_system = CountRules -guid "" -rules $rules + $m_credential_validation = CountRules -guid "0CCE923F-69AE-11D9-BED3-505054503030" -rules $rules + $m_kerberos_authentication_service = CountRules -guid "0CCE9242-69AE-11D9-BED3-505054503030" -rules $rules + $m_kerberos_sevice_ticket_operations = CountRules -guid "0CCE9240-69AE-11D9-BED3-505054503030" -rules $rules + $m_computer_account_management = CountRules -guid "0CCE9236-69AE-11D9-BED3-505054503030" -rules $rules + $m_other_account_management = CountRules -guid "0CCE923A-69AE-11D9-BED3-505054503030" -rules $rules + $m_security_group_management = CountRules -guid "0CCE9237-69AE-11D9-BED3-505054503030" -rules $rules + $m_user_account_management = CountRules -guid "0CCE9235-69AE-11D9-BED3-505054503030" -rules $rules + $m_plug_and_play_events = CountRules -guid "0CCE9248-69AE-11D9-BED3-505054503030" -rules $rules + $m_process_creation = CountRules -guid "0CCE922B-69AE-11D9-BED3-505054503030" -rules $rules + $m_process_termination = CountRules -guid "0CCE922C-69AE-11D9-BED3-505054503030" -rules $rules + $m_rpc_events = CountRules -guid "0CCE922E-69AE-11D9-BED3-505054503030" -rules $rules + $m_token_right_adjusted_events = CountRules -guid "0CCE924A-69AE-11D9-BED3-505054503030" -rules $rules + $m_directory_service_access = CountRules -guid "0CCE923B-69AE-11D9-BED3-505054503030" -rules $rules + $m_account_lockout = CountRules -guid "0CCE9217-69AE-11D9-BED3-505054503030" -rules $rules + $m_logoff = CountRules -guid "0CCE9216-69AE-11D9-BED3-505054503030" -rules $rules + $m_logon = CountRules -guid "0CCE9215-69AE-11D9-BED3-505054503030" -rules $rules + $m_other_logon_logoff_events = CountRules -guid "0CCE921C-69AE-11D9-BED3-505054503030" -rules $rules + $m_special_logon = CountRules -guid "0CCE921B-69AE-11D9-BED3-505054503030" -rules $rules + $m_certification_services = CountRules -guid "0CCE9221-69AE-11D9-BED3-505054503030" -rules $rules + $m_detailed_file_share = CountRules -guid "0CCE9244-69AE-11D9-BED3-505054503030" -rules $rules + $m_file_share = CountRules -guid "0CCE9224-69AE-11D9-BED3-505054503030" -rules $rules + $m_file_system = CountRules -guid "0CCE921D-69AE-11D9-BED3-505054503030" -rules $rules $m_filtering_platform_connection = CountRules -guid "0CCE9226-69AE-11D9-BED3-505054503030" -rules $rules - $m_filtering_platform_packet_drop = CountRules -guid "" -rules $rules - $m_kernel_object = CountRules -guid "" -rules $rules - $m_handle_manipulation = CountRules -guid "" -rules $rules - $m_other_object_access_events = CountRules -guid "" -rules $rules - $m_registry = CountRules -guid "" -rules $rules - $m_removable_storage = CountRules -guid "" -rules $rules - $m_sam = CountRules -guid "" -rules $rules - $m_audit_policy_change = CountRules -guid "" -rules $rules - $m_authentication_policy_change = CountRules -guid "" -rules $rules - $m_authorization_policy_change = CountRules -guid "" -rules $rules - $m_filtering_platform_policy_change = CountRules -guid "" -rules $rules - $m_mpssvc_rule_level_policy_change = CountRules -guid "" -rules $rules - $m_other_policy_change_events = CountRules -guid "" -rules $rules - $m_non_sensitive_use_events = CountRules -guid "" -rules $rules - $m_sensitive_privilege_use = CountRules -guid "" -rules $rules - $m_other_system_events = CountRules -guid "" -rules $rules + $m_filtering_platform_packet_drop = CountRules -guid "0CCE9225-69AE-11D9-BED3-505054503030" -rules $rules + $m_kernel_object = CountRules -guid "0CCE921F-69AE-11D9-BED3-505054503030" -rules $rules + $m_handle_manipulation = CountRules -guid "0CCE9223-69AE-11D9-BED3-505054503030" -rules $rules + $m_other_object_access_events = CountRules -guid "0CCE9227-69AE-11D9-BED3-505054503030" -rules $rules + $m_registry = CountRules -guid "0CCE921E-69AE-11D9-BED3-505054503030" -rules $rules + $m_removable_storage = CountRules -guid "0CCE9245-69AE-11D9-BED3-505054503030" -rules $rules + $m_sam = CountRules -guid "0CCE9220-69AE-11D9-BED3-505054503030" -rules $rules + $m_audit_policy_change = CountRules -guid "0CCE922F-69AE-11D9-BED3-505054503030" -rules $rules + $m_authentication_policy_change = CountRules -guid "0CCE9230-69AE-11D9-BED3-505054503030" -rules $rules + $m_authorization_policy_change = CountRules -guid "0CCE9231-69AE-11D9-BED3-505054503030" -rules $rules + $m_filtering_platform_policy_change = CountRules -guid "0CCE9233-69AE-11D9-BED3-505054503030" -rules $rules + $m_mpssvc_rule_level_policy_change = CountRules -guid "0CCE9232-69AE-11D9-BED3-505054503030" -rules $rules + $m_other_policy_change_events = CountRules -guid "0CCE9234-69AE-11D9-BED3-505054503030" -rules $rules + $m_non_sensitive_use_events = CountRules -guid "0CCE9229-69AE-11D9-BED3-505054503030" -rules $rules + $m_sensitive_privilege_use = CountRules -guid "0CCE9228-69AE-11D9-BED3-505054503030" -rules $rules + $m_other_system_events = CountRules -guid "0CCE9214-69AE-11D9-BED3-505054503030" -rules $rules $m_security_state_change = CountRules -guid "0CCE9210-69AE-11D9-BED3-505054503030" -rules $rules - $m_security_system_extension = CountRules -guid "" -rules $rules - $m_system_integrity = CountRules -guid "" -rules $rules + $m_security_system_extension = CountRules -guid "0CCE9211-69AE-11D9-BED3-505054503030" -rules $rules + $m_system_integrity = CountRules -guid "0CCE9212-69AE-11D9-BED3-505054503030" -rules $rules $msg = @" Detailed Security category settings: From 6fa1d10dd0a9b5dfbd8d2584dee93f16931c6cb5 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 13:31:10 +0900 Subject: [PATCH 44/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index fbe98a48..f774b5f8 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -274,7 +274,7 @@ System } elseif ($line -match '.*enabled.*\(') { Write-Host $line -ForegroundColor Green -NoNewline } else { - Write-Host $line -NoNewline + Write-Host $line } } Write-Host "" From 0e23646610e0b9204a8974f4291ece78969b585f Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 13:32:30 +0900 Subject: [PATCH 45/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 1 + 1 file changed, 1 insertion(+) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index f774b5f8..aa1a259b 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -271,6 +271,7 @@ System Write-Host -NoNewline $part } } + Write-Host "" } elseif ($line -match '.*enabled.*\(') { Write-Host $line -ForegroundColor Green -NoNewline } else { From 74dffca4b94949bc2fccfb970889dd473d8d96c4 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 13:37:11 +0900 Subject: [PATCH 46/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index aa1a259b..21d7d404 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -41,7 +41,9 @@ function ShowVerboseSecurity { $m_rpc_events = CountRules -guid "0CCE922E-69AE-11D9-BED3-505054503030" -rules $rules $m_token_right_adjusted_events = CountRules -guid "0CCE924A-69AE-11D9-BED3-505054503030" -rules $rules $m_directory_service_access = CountRules -guid "0CCE923B-69AE-11D9-BED3-505054503030" -rules $rules + $m_directory_service_changes = CountRules -guid "0CCE923C-69AE-11D9-BED3-505054503030" -rules $rules $m_account_lockout = CountRules -guid "0CCE9217-69AE-11D9-BED3-505054503030" -rules $rules + $m_group_membership = CountRules -guid "0CCE9249-69AE-11D9-BED3-505054503030" -rules $rules $m_logoff = CountRules -guid "0CCE9216-69AE-11D9-BED3-505054503030" -rules $rules $m_logon = CountRules -guid "0CCE9215-69AE-11D9-BED3-505054503030" -rules $rules $m_other_logon_logoff_events = CountRules -guid "0CCE921C-69AE-11D9-BED3-505054503030" -rules $rules @@ -129,7 +131,7 @@ DS (Directory Service) Access - Volume: High - Default settings: Client OS: No Auditing | Server OS: Success - Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure - - Directory Service Changes + - Directory Service Changes $m_directory_service_changes - Volume: High - Default settings: No Auditing - Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure @@ -138,7 +140,7 @@ Logon/Logoff - Volume: Low - Default settings: Success - Recommended settings: Success and Failure - - Group Membership + - Group Membership $m_group_membership - Volume: Adds an extra 4627 event to every logon. - Default settings: No Auditing - Recommended settings: No Auditing From bad93d6ba3b04c3b17db21fc0b7701512578af73 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 17:47:06 +0900 Subject: [PATCH 47/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 21d7d404..682a18cd 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -5,6 +5,9 @@ function CountRules { ) $filterd_rules = $rules | Where-Object { $_.subcategory_guids -contains $guid } + if ($filterd_rules.Count -eq 0) { + return "(No rule)" + } $counts = @{ critical = 0 high = 0 @@ -18,8 +21,8 @@ function CountRules { $counts[$rule.level]++ } } - - $result = "disabled (critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))" + $status = if ($rules[0].applicable) { "enabled" } else { "disabled" } + $result = "$status (critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))" return $result } From 890ec81bfdefa6bc6e71037dd7a33c18fee8a9af Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 17:48:12 +0900 Subject: [PATCH 48/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 682a18cd..b6e78d75 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -278,7 +278,15 @@ System } Write-Host "" } elseif ($line -match '.*enabled.*\(') { - Write-Host $line -ForegroundColor Green -NoNewline + $parts = $line -split '(enabled.*\))' + foreach ($part in $parts) { + if ($part -match '.*enabled.*$') { + Write-Host -NoNewline $part -ForegroundColor Red + } else { + Write-Host -NoNewline $part + } + } + Write-Host "" } else { Write-Host $line } From 7f7182f476a93d9736be193f6f45f0a5df46032b Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 17:48:44 +0900 Subject: [PATCH 49/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index b6e78d75..51ea335d 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -281,7 +281,7 @@ System $parts = $line -split '(enabled.*\))' foreach ($part in $parts) { if ($part -match '.*enabled.*$') { - Write-Host -NoNewline $part -ForegroundColor Red + Write-Host -NoNewline $part -ForegroundColor Green } else { Write-Host -NoNewline $part } From fdc1c188eb7cc1830e5c537883013064004f25e2 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 17:52:27 +0900 Subject: [PATCH 50/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 51ea335d..bc4d524c 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -288,7 +288,7 @@ System } Write-Host "" } else { - Write-Host $line + Write-Host -NoNewline $line } } Write-Host "" From 77adb19124b996aed13424bc7b2d0783fc5ae0f2 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 17:54:28 +0900 Subject: [PATCH 51/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 -- 1 file changed, 2 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index bc4d524c..292ffdf7 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -276,7 +276,6 @@ System Write-Host -NoNewline $part } } - Write-Host "" } elseif ($line -match '.*enabled.*\(') { $parts = $line -split '(enabled.*\))' foreach ($part in $parts) { @@ -286,7 +285,6 @@ System Write-Host -NoNewline $part } } - Write-Host "" } else { Write-Host -NoNewline $line } From c658ec3f7678ab6731aea9e66924b0b279eadbf1 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 17:54:59 +0900 Subject: [PATCH 52/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 292ffdf7..bc4d524c 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -276,6 +276,7 @@ System Write-Host -NoNewline $part } } + Write-Host "" } elseif ($line -match '.*enabled.*\(') { $parts = $line -split '(enabled.*\))' foreach ($part in $parts) { @@ -285,6 +286,7 @@ System Write-Host -NoNewline $part } } + Write-Host "" } else { Write-Host -NoNewline $line } From b5840ebaf3d3008e1b8305fd50710789667b6a2d Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 17:55:49 +0900 Subject: [PATCH 53/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index bc4d524c..51ea335d 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -288,7 +288,7 @@ System } Write-Host "" } else { - Write-Host -NoNewline $line + Write-Host $line } } Write-Host "" From 5512c75d61a046bd3a1f2c3bb6425df8ab0d3d61 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 2 Apr 2025 17:59:22 +0900 Subject: [PATCH 54/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 51ea335d..341e5724 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -21,7 +21,7 @@ function CountRules { $counts[$rule.level]++ } } - $status = if ($rules[0].applicable) { "enabled" } else { "disabled" } + $status = if ($filterd_rules[0].applicable) { "enabled" } else { "disabled" } $result = "$status (critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))" return $result } From d32d6c0b2a92ae5f575af821774090a7b01c80db Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 3 Apr 2025 19:56:10 +0900 Subject: [PATCH 55/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 341e5724..644ba35e 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -21,7 +21,7 @@ function CountRules { $counts[$rule.level]++ } } - $status = if ($filterd_rules[0].applicable) { "enabled" } else { "disabled" } + $status = if ($filterd_rules[0].applicable) { ": enabled" } else { ": disabled" } $result = "$status (critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))" return $result } @@ -268,25 +268,9 @@ System $msgLines = $msg -split "`n" foreach ($line in $msgLines) { if ($line -match '.*disabled.*\(') { - $parts = $line -split '(disabled.*\))' - foreach ($part in $parts) { - if ($part -match '.*disabled.*$') { - Write-Host -NoNewline $part -ForegroundColor Red - } else { - Write-Host -NoNewline $part - } - } - Write-Host "" + Write-Host -$line -ForegroundColor Red } elseif ($line -match '.*enabled.*\(') { - $parts = $line -split '(enabled.*\))' - foreach ($part in $parts) { - if ($part -match '.*enabled.*$') { - Write-Host -NoNewline $part -ForegroundColor Green - } else { - Write-Host -NoNewline $part - } - } - Write-Host "" + Write-Host $line -ForegroundColor Green } else { Write-Host $line } From 077b300710a84c49d9a07f10623796c3040a0e9d Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 3 Apr 2025 19:57:58 +0900 Subject: [PATCH 56/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 644ba35e..bfbad310 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -271,6 +271,8 @@ System Write-Host -$line -ForegroundColor Red } elseif ($line -match '.*enabled.*\(') { Write-Host $line -ForegroundColor Green + } elseif ($line -match '.*No rule.*\(') { + Write-Host $line -ForegroundColor DarkYellow } else { Write-Host $line } From 2ce9a95dbf1910fdbe094a7aa099fed0a592cd18 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 3 Apr 2025 20:36:14 +0900 Subject: [PATCH 57/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index bfbad310..3ca0d248 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -271,7 +271,7 @@ System Write-Host -$line -ForegroundColor Red } elseif ($line -match '.*enabled.*\(') { Write-Host $line -ForegroundColor Green - } elseif ($line -match '.*No rule.*\(') { + } elseif ($line -match '.*No rule.*') { Write-Host $line -ForegroundColor DarkYellow } else { Write-Host $line From 357b6e22054d6eb8a5e4e01581eaff0c775362cb Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 3 Apr 2025 20:37:42 +0900 Subject: [PATCH 58/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 3ca0d248..9bef5df1 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -268,7 +268,7 @@ System $msgLines = $msg -split "`n" foreach ($line in $msgLines) { if ($line -match '.*disabled.*\(') { - Write-Host -$line -ForegroundColor Red + Write-Host $line -ForegroundColor Red } elseif ($line -match '.*enabled.*\(') { Write-Host $line -ForegroundColor Green } elseif ($line -match '.*No rule.*') { From 673d16f5d5f25e4462f57742e195240ebe2f664e Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 3 Apr 2025 22:36:32 +0900 Subject: [PATCH 59/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 95 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 9bef5df1..4b209b4e 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -26,6 +26,38 @@ function CountRules { return $result } +function ColorPrint { + param ( + [string]$line, + [string]$category, + [array]$sub_categories + ) + + if ($line -notmatch $category) { + return + } + + $allEnabled = $true + $allDisabled = $true + + foreach ($sub_category in $sub_categories) { + if ($sub_category -notmatch 'enabled') { + $allEnabled = $false + } + if ($sub_category -notmatch 'disabled') { + $allDisabled = $false + } + } + + if ($allEnabled) { + Write-Host $category -ForegroundColor Green + } elseif ($allDisabled) { + Write-Host $category -ForegroundColor Red + } else { + Write-Host $category -ForegroundColor DarkYellow + } +} + function ShowVerboseSecurity { param ( [array]$rules @@ -276,6 +308,69 @@ System } else { Write-Host $line } + ColorPrint -line $line -category "Account Logon" -sub_categories @( + $m_credential_validation, + $m_kerberos_authentication_service, + $m_kerberos_sevice_ticket_operations + ) + ColorPrint -line $line -category "Account Management" -sub_categories @( + $m_computer_account_management, + $m_other_account_management, + $m_security_group_management, + $m_user_account_management + ) + ColorPrint -line $line -category "Detailed Tracking" -sub_categories @( + $m_plug_and_play_events, + $m_process_creation, + $m_process_termination, + $m_rpc_events, + $m_token_right_adjusted_events + ) + ColorPrint -line $line -category "DS (Directory Service) Access" -sub_categories @( + $m_directory_service_access, + $m_directory_service_changes + ) + ColorPrint -line $line -category "Logon/Logoff" -sub_categories @( + $m_account_lockout, + $m_group_membership, + $m_logoff, + $m_logon, + $m_other_logon_logoff_events, + $m_special_logon + ) + ColorPrint -line $line -category "Object Access" -sub_categories @( + $m_certification_services, + $m_detailed_file_share, + $m_file_share, + $m_file_system, + $m_filtering_platform_connection, + $m_filtering_platform_packet_drop, + $m_kernel_object, + $m_handle_manipulation, + $m_other_object_access_events, + $m_registry, + $m_removable_storage, + $m_sam + ) + ColorPrint -line $line -category "Policy Change" -sub_categories @( + $m_audit_policy_change, + $m_authentication_policy_change, + $m_authorization_policy_change, + $m_filtering_platform_policy_change, + $m_mpssvc_rule_level_policy_change, + $m_other_policy_change_events + ) + ColorPrint -line $line -category "Privilege Use" -sub_categories @( + $m_non_sensitive_use_events, + $m_sensitive_privilege_use + ) + ColorPrint -line $line -category "System" -sub_categories @( + $m_other_system_events, + $m_security_state_change, + $m_security_system_extension, + $m_system_integrity + ) + } Write-Host "" } \ No newline at end of file From a8d003887029409775171bf53f028f8b939436a4 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 3 Apr 2025 22:40:19 +0900 Subject: [PATCH 60/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 4b209b4e..c127ca17 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -306,7 +306,9 @@ System } elseif ($line -match '.*No rule.*') { Write-Host $line -ForegroundColor DarkYellow } else { - Write-Host $line + if ($line -notmatch "Account Logon" -and $line -notmatch "Account Management" -and $line -notmatch "Detailed Tracking" -and $line -notmatch "DS (Directory Service) Access" -and $line -notmatch "Logon/Logoff" -and $line -notmatch "Object Access" -and $line -notmatch "Policy Change" -and $line -notmatch "Privilege Use" -and $line -notmatch "System") { + Write-Host $line + } } ColorPrint -line $line -category "Account Logon" -sub_categories @( $m_credential_validation, From 2c567e08d2fbc0e969df04771a5f8e8e4f24eff5 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 3 Apr 2025 22:41:50 +0900 Subject: [PATCH 61/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index c127ca17..10de662f 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -299,17 +299,6 @@ System $msgLines = $msg -split "`n" foreach ($line in $msgLines) { - if ($line -match '.*disabled.*\(') { - Write-Host $line -ForegroundColor Red - } elseif ($line -match '.*enabled.*\(') { - Write-Host $line -ForegroundColor Green - } elseif ($line -match '.*No rule.*') { - Write-Host $line -ForegroundColor DarkYellow - } else { - if ($line -notmatch "Account Logon" -and $line -notmatch "Account Management" -and $line -notmatch "Detailed Tracking" -and $line -notmatch "DS (Directory Service) Access" -and $line -notmatch "Logon/Logoff" -and $line -notmatch "Object Access" -and $line -notmatch "Policy Change" -and $line -notmatch "Privilege Use" -and $line -notmatch "System") { - Write-Host $line - } - } ColorPrint -line $line -category "Account Logon" -sub_categories @( $m_credential_validation, $m_kerberos_authentication_service, @@ -372,7 +361,17 @@ System $m_security_system_extension, $m_system_integrity ) - + if ($line -match '.*disabled.*\(') { + Write-Host $line -ForegroundColor Red + } elseif ($line -match '.*enabled.*\(') { + Write-Host $line -ForegroundColor Green + } elseif ($line -match '.*No rule.*') { + Write-Host $line -ForegroundColor DarkYellow + } else { + if ($line -notmatch "Account Logon" -and $line -notmatch "Account Management" -and $line -notmatch "Detailed Tracking" -and $line -notmatch "DS (Directory Service) Access" -and $line -notmatch "Logon/Logoff" -and $line -notmatch "Object Access" -and $line -notmatch "Policy Change" -and $line -notmatch "Privilege Use" -and $line -notmatch "System") { + Write-Host $line + } + } } Write-Host "" } \ No newline at end of file From 3ed3142868d34a329f8e95a5b7f68da686166623 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 3 Apr 2025 22:43:17 +0900 Subject: [PATCH 62/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 10de662f..017f8c0f 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -33,28 +33,26 @@ function ColorPrint { [array]$sub_categories ) - if ($line -notmatch $category) { - return - } + if ($line -eq $category) { + $allEnabled = $true + $allDisabled = $true - $allEnabled = $true - $allDisabled = $true - - foreach ($sub_category in $sub_categories) { - if ($sub_category -notmatch 'enabled') { - $allEnabled = $false + foreach ($sub_category in $sub_categories) { + if ($sub_category -notmatch 'enabled') { + $allEnabled = $false + } + if ($sub_category -notmatch 'disabled') { + $allDisabled = $false + } } - if ($sub_category -notmatch 'disabled') { - $allDisabled = $false - } - } - if ($allEnabled) { - Write-Host $category -ForegroundColor Green - } elseif ($allDisabled) { - Write-Host $category -ForegroundColor Red - } else { - Write-Host $category -ForegroundColor DarkYellow + if ($allEnabled) { + Write-Host $category -ForegroundColor Green + } elseif ($allDisabled) { + Write-Host $category -ForegroundColor Red + } else { + Write-Host $category -ForegroundColor DarkYellow + } } } From 833d74722686ab14ae88e563ff6a71903399eabc Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 3 Apr 2025 22:45:06 +0900 Subject: [PATCH 63/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 017f8c0f..f84682c1 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -33,7 +33,7 @@ function ColorPrint { [array]$sub_categories ) - if ($line -eq $category) { + if ($line.Trim() -eq $category.Trim()) { $allEnabled = $true $allDisabled = $true From 08fca52980ee8ff147090b1dc7e5c0735935004f Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 3 Apr 2025 22:47:31 +0900 Subject: [PATCH 64/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index f84682c1..d8d30da8 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -366,7 +366,7 @@ System } elseif ($line -match '.*No rule.*') { Write-Host $line -ForegroundColor DarkYellow } else { - if ($line -notmatch "Account Logon" -and $line -notmatch "Account Management" -and $line -notmatch "Detailed Tracking" -and $line -notmatch "DS (Directory Service) Access" -and $line -notmatch "Logon/Logoff" -and $line -notmatch "Object Access" -and $line -notmatch "Policy Change" -and $line -notmatch "Privilege Use" -and $line -notmatch "System") { + if ($line -notmatch "Account Logon" -and $line -notmatch "Account Management" -and $line -notmatch "Detailed Tracking" -and $line -notmatch 'DS (Directory Service) Access' -and $line -notmatch "Logon/Logoff" -and $line -notmatch "Object Access" -and $line -notmatch "Policy Change" -and $line -notmatch "Privilege Use" -and $line -notmatch "System") { Write-Host $line } } From 750eeb4d452c690e2e927b05c10a08549a4da00b Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 3 Apr 2025 22:51:41 +0900 Subject: [PATCH 65/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index d8d30da8..6a543010 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -366,7 +366,7 @@ System } elseif ($line -match '.*No rule.*') { Write-Host $line -ForegroundColor DarkYellow } else { - if ($line -notmatch "Account Logon" -and $line -notmatch "Account Management" -and $line -notmatch "Detailed Tracking" -and $line -notmatch 'DS (Directory Service) Access' -and $line -notmatch "Logon/Logoff" -and $line -notmatch "Object Access" -and $line -notmatch "Policy Change" -and $line -notmatch "Privilege Use" -and $line -notmatch "System") { + if ($line -notmatch "Account Logon" -and $line -notmatch "Account Management" -and $line -notmatch "Detailed Tracking" -and $line -notmatch "DS \(Directory Service\) Access" -and $line -notmatch "Logon/Logoff" -and $line -notmatch "Object Access" -and $line -notmatch "Policy Change" -and $line -notmatch "Privilege Use" -and $line -notmatch "System") { Write-Host $line } } From 243f8fdd0aad29ab38bbbf3fbc8a5192f3b621a4 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 4 Apr 2025 08:09:03 +0900 Subject: [PATCH 66/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 88 ++++++++++++++++++++-------------------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 6a543010..2dcb6d39 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -21,7 +21,7 @@ function CountRules { $counts[$rule.level]++ } } - $status = if ($filterd_rules[0].applicable) { ": enabled" } else { ": disabled" } + $status = if ($filterd_rules[0].applicable) { " enabled" } else { " disabled" } $result = "$status (critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))" return $result } @@ -109,11 +109,11 @@ function ShowVerboseSecurity { $msg = @" Detailed Security category settings: Account Logon - - Credential Validation $m_credential_validation + - Credential Validation: $m_credential_validation - Volume: Depends on NTLM usage. Could be high on DCs and low on clients and servers. - Default settings: Client OS: No Auditing | Server OS: Success - Recommended settings: Client and Server OSes: Success and Failure - - Kerberos Authentication Service $m_kerberos_authentication_service + - Kerberos Authentication Service: $m_kerberos_authentication_service - Volume: High - Default settings: Client OS: No Auditing | Server OS: Success - Recommended settings: Client OS: No Auditing | Server OS: Success and Failure @@ -122,174 +122,174 @@ Account Logon - Default settings: Client OS: No Auditing | Server OS: Success - Recommended settings: Domain Controllers: Success and Failure Account Management - - Computer Account Management $m_computer_account_management + - Computer Account Management: $m_computer_account_management - Volume: Low - Default settings: Client OS: No Auditing | Server OS: Success Only - Recommended settings: Domain Controllers: Success and Failure - - Other Account Management Events $m_other_account_management + - Other Account Management Events: $m_other_account_management - Volume: Low - Default settings: No Auditing - Recommended settings: Success and Failure - - Security Group Management $m_security_group_management + - Security Group Management: $m_security_group_management - Volume: Low - Default settings: Success - Recommended settings: Success and Failure - - User Account Management $m_user_account_management + - User Account Management: $m_user_account_management - Volume: Low - Default settings: Success - Recommended settings: Success and Failure Detailed Tracking - - Plug and Play Events $m_plug_and_play_events + - Plug and Play Events: $m_plug_and_play_events - Volume: Typcially low - Default settings: No Auditing - Recommended settings: Success and Failure - - Process Creation $m_process_creation + - Process Creation: $m_process_creation - Volume: High - Default settings: No Auditing - Recommended settings: Success and Failure if sysmon is not configured. - - Process Termination $m_process_termination + - Process Termination: $m_process_termination - Volume: High - Default settings: No Auditing - Recommended settings: No Auditing unless you want to track the lifespan of processes. - - RPC (Remote Procedure Call) Events $m_rpc_events + - RPC (Remote Procedure Call) Events: $m_rpc_events - Volume: High on RPC servers (According to Microsoft) - Default settings: No Auditing - Recommended settings: Unknown. Needs testing. - - Token Right Adjusted Events $m_token_right_adjusted_events + - Token Right Adjusted Events: $m_token_right_adjusted_events - Volume: Unknown - Default settings: No Auditing - Recommended settings: Unknown. Needs testing. DS (Directory Service) Access - - Directory Service Access $m_directory_service_access + - Directory Service Access: $m_directory_service_access - Volume: High - Default settings: Client OS: No Auditing | Server OS: Success - Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure - - Directory Service Changes $m_directory_service_changes + - Directory Service Changes: $m_directory_service_changes - Volume: High - Default settings: No Auditing - Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure Logon/Logoff - - Account Lockout $m_account_lockout + - Account Lockout: $m_account_lockout - Volume: Low - Default settings: Success - Recommended settings: Success and Failure - - Group Membership $m_group_membership + - Group Membership: $m_group_membership - Volume: Adds an extra 4627 event to every logon. - Default settings: No Auditing - Recommended settings: No Auditing - - Logoff $m_logoff + - Logoff: $m_logoff - Volume: High - Default settings: Success - Recommended settings: Success - - Logon $m_logon + - Logon: $m_logon - Volume: Low on clients, medium on DCs or network servers - Default settings: Client OS: Success | Server OS: Success and Failure - Recommended settings: Success and Failure - - Other Logon/Logoff Events $m_other_logon_logoff_events + - Other Logon/Logoff Events: $m_other_logon_logoff_events - Volume: Low - Default settings: No Auditing - Recommended settings: Success and Failure - - Special Logon $m_special_logon + - Special Logon: $m_special_logon - Volume: Low on clients. Medium on DC or network servers. - Default settings: Success - Recommended settings: Success and Failure Object Access - - Certification Services $m_certification_services + - Certification Services: $m_certification_services - Volume: Low to medium - Default settings: No Auditing - Recommended settings: Success and Failure for AD CS role servers. - - Detailed File Share $m_detailed_file_share + - Detailed File Share: $m_detailed_file_share - Volume: Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement. - Default settings: No Auditing - Recommended settings: No Auditing due to the high noise level. Enable if you can though. - - File Share $m_file_share + - File Share: $m_file_share - Volume: High for file servers and DCs. - Default settings: No Auditing - Recommended settings: Success and Failure - - File System $m_file_system + - File System: $m_file_system - Volume: Depends on SACL rules - Default settings: No Auditing - Recommended settings: Enable SACLs just for sensitive files - - Filtering Platform Connection $m_filtering_platform_connection + - Filtering Platform Connection: $m_filtering_platform_connection - Volume: High - Default settings: No Auditing - Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. - - Filtering Platform Packet Drop $m_filtering_platform_packet_drop + - Filtering Platform Packet Drop: $m_filtering_platform_packet_drop - Volume: High - Default settings: No Auditing - Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. - - Kernel Object $m_kernel_object + - Kernel Object: $m_kernel_object - Volume: High if auditing access of global object access is enabled - Default settings: No Auditing - Recommended settings: Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events. - - Handle Manipulation $m_handle_manipulation + - Handle Manipulation: $m_handle_manipulation - Volume: High - Default settings: No Auditing - Recommended settings: Success and Failure - - Other Object Access Events $m_other_object_access_events + - Other Object Access Events: $m_other_object_access_events - Volume: Low - Default settings: No Auditing - Recommended settings: Success and Failure - - Registry $m_registry + - Registry: $m_registry - Volume: Depends on SACLs - Default settings: No Auditing - Recommended settings: Set SACLs for only the registry keys that you want to monitor - - Removable Storage $m_removable_storage + - Removable Storage: $m_removable_storage - Volume: Depends on how much removable storage is used - Default settings: No Auditing - Recommended settings: Success and Failure if you want to monitor external device usage. - - SAM $m_sam + - SAM: $m_sam - Volume: High volume of events on Domain Controllers - Default settings: No Auditing - Recommended settings: Success and Failure if you can but may cause too high volume of noise so should be tested beforehand. Policy Change - - Audit Policy Change $m_audit_policy_change + - Audit Policy Change: $m_audit_policy_change - Volume: Low - Default settings: Success - Recommended settings: Success and Failure - - Authentication Policy Change $m_authentication_policy_change + - Authentication Policy Change: $m_authentication_policy_change - Volume: Low - Default settings: Success - Recommended settings: Success and Failure - - Authorization Policy Change $m_authorization_policy_change + - Authorization Policy Change: $m_authorization_policy_change - Volume: Medium to High - Default settings: No Auditing - Recommended settings: Unknown. Needs testing. - - Filtering Platform Policy Change $m_filtering_platform_policy_change + - Filtering Platform Policy Change: $m_filtering_platform_policy_change - Volume: Low - Default settings: No Auditing - Recommended settings: Unknown, Needs testing. - - MPSSVC Rule-Level Policy Change $m_mpssvc_rule_level_policy_change + - MPSSVC Rule-Level Policy Change: $m_mpssvc_rule_level_policy_change - Volume: Low - Default settings: No Auditing - Recommended settings: Unknown. Needs testing. - - Other Policy Change Events $m_other_policy_change_events + - Other Policy Change Events: $m_other_policy_change_events - Volume: Low - Default settings: No Auditing - Recommended settings: No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.) Privilege Use - - Non Sensitive Use Events $m_non_sensitive_use_events + - Non Sensitive Use Events: $m_non_sensitive_use_events - Volume: Very high - Default settings: No Auditing - Recommended settings: No Auditing - - Sensitive Privilege Use $m_sensitive_privilege_use + - Sensitive Privilege Use: $m_sensitive_privilege_use - Volume: High - Default settings: No Auditing - Recommended settings: Success and Failure However, this may be too noisy. System - - Other System Events $m_other_system_events + - Other System Events: $m_other_system_events - Volume: Low - Default settings: Success and Failure - Recommended settings: Unknown. Needs testing. - - Security State Change $m_security_state_change + - Security State Change: $m_security_state_change - Volume: Low - Default settings: Success - Recommended settings: Success and Failure - - Security System Extension $m_security_system_extension + - Security System Extension: $m_security_system_extension - Volume: Low, but more on DCs - Default settings: No Auditing - Recommended settings: Success and Failure - - System Integrity $m_system_integrity + - System Integrity: $m_system_integrity - Volume: Low - Default settings: Sucess, Failure - Recommended settings: Success and Failure From b746d1c3a965e06f908dda9af1b7be476ecd7353 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 4 Apr 2025 23:28:03 +0900 Subject: [PATCH 67/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 2dcb6d39..9c3995a1 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -21,7 +21,7 @@ function CountRules { $counts[$rule.level]++ } } - $status = if ($filterd_rules[0].applicable) { " enabled" } else { " disabled" } + $status = if ($filterd_rules[0].applicable) { "enabled" } else { "disabled" } $result = "$status (critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))" return $result } From 3eb0119a4a58b180aec382f077478709b2cfe1bc Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sat, 5 Apr 2025 08:30:06 +0900 Subject: [PATCH 68/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 9c3995a1..67b612d8 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -6,7 +6,7 @@ function CountRules { $filterd_rules = $rules | Where-Object { $_.subcategory_guids -contains $guid } if ($filterd_rules.Count -eq 0) { - return "(No rule)" + return "no rules" } $counts = @{ critical = 0 From 366feb9490d5b259280e07bf5bfc9b87ac891637 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sat, 5 Apr 2025 08:30:18 +0900 Subject: [PATCH 69/70] feat: verbose security --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 67b612d8..9051dd09 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -363,7 +363,7 @@ System Write-Host $line -ForegroundColor Red } elseif ($line -match '.*enabled.*\(') { Write-Host $line -ForegroundColor Green - } elseif ($line -match '.*No rule.*') { + } elseif ($line -match '.*no rules.*') { Write-Host $line -ForegroundColor DarkYellow } else { if ($line -notmatch "Account Logon" -and $line -notmatch "Account Management" -and $line -notmatch "Detailed Tracking" -and $line -notmatch "DS \(Directory Service\) Access" -and $line -notmatch "Logon/Logoff" -and $line -notmatch "Object Access" -and $line -notmatch "Policy Change" -and $line -notmatch "Privilege Use" -and $line -notmatch "System") { From e9116458bf123c3a99712e6b0c30cbf10cd16ccc Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sat, 5 Apr 2025 08:40:10 +0900 Subject: [PATCH 70/70] add colon --- WELAVerboseSecAudit.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 index 9051dd09..5a712a4f 100644 --- a/WELAVerboseSecAudit.psm1 +++ b/WELAVerboseSecAudit.psm1 @@ -117,7 +117,7 @@ Account Logon - Volume: High - Default settings: Client OS: No Auditing | Server OS: Success - Recommended settings: Client OS: No Auditing | Server OS: Success and Failure - - Kerberos Service Ticket Operations $m_kerberos_sevice_ticket_operations + - Kerberos Service Ticket Operations: $m_kerberos_sevice_ticket_operations - Volume: High - Default settings: Client OS: No Auditing | Server OS: Success - Recommended settings: Domain Controllers: Success and Failure