From f541c87a44c052fd41545f4030ed31a33b1d3805 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 21 Mar 2025 00:57:22 +0900 Subject: [PATCH] chg: Output horizontally --- WELA.ps1 | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 6800f1e4..7a5d0019 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -179,10 +179,15 @@ $usablePwsModRate = CalculateUsableRate -counts $usablePwsModCounts -totalCounts $usablePwsScrRate = CalculateUsableRate -counts $usablePwsScrCounts -totalCounts $totalPwsScrCounts # Step 6: Show the number of usable and unusable rules for each level -ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules:" -ShowRulesCountsByLevel -usableRate $usablePwsClaRate -msg "PowerShell classic logging detection rules:" -ShowRulesCountsByLevel -usableRate $usablePwsModRate -msg "PowerShell module logging detection rules:" -ShowRulesCountsByLevel -usableRate $usablePwsScrRate -msg "PowerShell script block logging detection rules:" +$pwsModEnabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 +$pwsScrEnabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 +$pwsModStatus = if ($pwsModEnabled) { "Enabled" } else { "Disabled" } +$pwsSrcStatus = if ($pwsScrEnabled) { "Enabled" } else { "Disabled" } + +ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: (Partially Enabled)" +ShowRulesCountsByLevel -usableRate $usablePwsClaRate -msg "PowerShell classic logging detection rules: (Enabled)" +ShowRulesCountsByLevel -usableRate $usablePwsModRate -msg "PowerShell module logging detection rules: ($pwsModStatus)" +ShowRulesCountsByLevel -usableRate $usablePwsScrRate -msg "PowerShell script block logging detection rules: ($pwsSrcStatus)" Write-Output "Usable detection rules list saved to: UsableRules.csv" Write-Output "Unusable detection rules list saved to: UnusableRules.csv"