mirror of
https://github.com/Yamato-Security/WELA.git
synced 2025-12-10 03:03:06 +01:00
256 lines
13 KiB
PowerShell
256 lines
13 KiB
PowerShell
function ShowVerboseSecurity {
|
|
param (
|
|
[array]$rules
|
|
)
|
|
$m_credential_validation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_kerberos_authentication_service = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_kerberos_sevice_ticket_operations = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_computer_account_management = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_other_account_management = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_security_group_management = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_user_account_management = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_plug_and_play_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_process_creation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_process_termination = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_rpc_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_token_right_adjusted_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_directory_service_access = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_account_lockout = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_logoff = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_logon = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_other_logon_logoff_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_special_logon = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_certification_services = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_detailed_file_share = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_file_share = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_file_system = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_filtering_platform_connection = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_filtering_platform_packet_drop = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_kernel_object = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_handle_manipulation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_other_object_access_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_registry = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_removable_storage = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_sam = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_audit_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_authentication_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_authorization_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_filtering_platform_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_mpssvc_rule_level_policy_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_other_policy_change_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_non_sensitive_use_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_sensitive_privilege_use = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_other_system_events = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_security_state_change = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_security_system_extension = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
$m_system_integrity = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
|
|
|
|
$msg = @"
|
|
Detailed Security category settings:
|
|
Account Logon
|
|
- Credential Validation $m_credential_validation
|
|
- Volume: Depends on NTLM usage. Could be high on DCs and low on clients and servers.
|
|
- Default settings: Client OS: No Auditing | Server OS: Success
|
|
- Recommended settings: Client and Server OSes: Success and Failure
|
|
- Kerberos Authentication Service $m_kerberos_authentication_service
|
|
- Volume: High
|
|
- Default settings: Client OS: No Auditing | Server OS: Success
|
|
- Recommended settings: Client OS: No Auditing | Server OS: Success and Failure
|
|
- Kerberos Service Ticket Operations $m_kerberos_sevice_ticket_operations
|
|
- Volume: High
|
|
- Default settings: Client OS: No Auditing | Server OS: Success
|
|
- Recommended settings: Domain Controllers: Success and Failure
|
|
Account Management
|
|
- Computer Account Management $m_computer_account_management
|
|
- Volume: Low
|
|
- Default settings: Client OS: No Auditing | Server OS: Success Only
|
|
- Recommended settings: Domain Controllers: Success and Failure
|
|
- Other Account Management Events $m_other_account_management
|
|
- Volume: Low
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure
|
|
- Security Group Management $m_security_group_management
|
|
- Volume: Low
|
|
- Default settings: Success
|
|
- Recommended settings: Success and Failure
|
|
- User Account Management $m_user_account_management
|
|
- Volume: Low
|
|
- Default settings: Success
|
|
- Recommended settings: Success and Failure
|
|
Detailed Tracking
|
|
- Plug and Play Events $m_plug_and_play_events
|
|
- Volume: Typcially low
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure
|
|
- Process Creation $m_process_creation
|
|
- Volume: High
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure if sysmon is not configured.
|
|
- Process Termination $m_process_termination
|
|
- Volume: High
|
|
- Default settings: No Auditing
|
|
- Recommended settings: No Auditing unless you want to track the lifespan of processes.
|
|
- RPC (Remote Procedure Call) Events $m_rpc_events
|
|
- Volume: High on RPC servers (According to Microsoft)
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Unknown. Needs testing.
|
|
- Token Right Adjusted Events $m_token_right_adjusted_events
|
|
- Volume: Unknown
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Unknown. Needs testing.
|
|
DS (Directory Service) Access
|
|
- Directory Service Access $m_directory_service_access
|
|
- Volume: High
|
|
- Default settings: Client OS: No Auditing | Server OS: Success
|
|
- Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure
|
|
- Directory Service Changes
|
|
- Volume: High
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure
|
|
Logon/Logoff
|
|
- Account Lockout $m_account_lockout
|
|
- Volume: Low
|
|
- Default settings: Success
|
|
- Recommended settings: Success and Failure
|
|
- Group Membership
|
|
- Volume: Adds an extra 4627 event to every logon.
|
|
- Default settings: No Auditing
|
|
- Recommended settings: No Auditing
|
|
- Logoff $m_logoff
|
|
- Volume: High
|
|
- Default settings: Success
|
|
- Recommended settings: Success
|
|
- Logon $m_logon
|
|
- Volume: Low on clients, medium on DCs or network servers
|
|
- Default settings: Client OS: Success | Server OS: Success and Failure
|
|
- Recommended settings: Success and Failure
|
|
- Other Logon/Logoff Events $m_other_logon_logoff_events
|
|
- Volume: Low
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure
|
|
- Special Logon $m_special_logon
|
|
- Volume: Low on clients. Medium on DC or network servers.
|
|
- Default settings: Success
|
|
- Recommended settings: Success and Failure
|
|
Object Access
|
|
- Certification Services $m_certification_services
|
|
- Volume: Low to medium
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure for AD CS role servers.
|
|
- Detailed File Share $m_detailed_file_share
|
|
- Volume: Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement.
|
|
- Default settings: No Auditing
|
|
- Recommended settings: No Auditing due to the high noise level. Enable if you can though.
|
|
- File Share $m_file_share
|
|
- Volume: High for file servers and DCs.
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure
|
|
- File System $m_file_system
|
|
- Volume: Depends on SACL rules
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Enable SACLs just for sensitive files
|
|
- Filtering Platform Connection $m_filtering_platform_connection
|
|
- Volume: High
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though.
|
|
- Filtering Platform Packet Drop $m_filtering_platform_packet_drop
|
|
- Volume: High
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though.
|
|
- Kernel Object $m_kernel_object
|
|
- Volume: High if auditing access of global object access is enabled
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events.
|
|
- Handle Manipulation $m_handle_manipulation
|
|
- Volume: High
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure
|
|
- Other Object Access Events $m_other_object_access_events
|
|
- Volume: Low
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure
|
|
- Registry $m_registry
|
|
- Volume: Depends on SACLs
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Set SACLs for only the registry keys that you want to monitor
|
|
- Removable Storage $m_removable_storage
|
|
- Volume: Depends on how much removable storage is used
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure if you want to monitor external device usage.
|
|
- SAM $m_sam
|
|
- Volume: High volume of events on Domain Controllers
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure if you can but may cause too high volume of noise so should be tested beforehand.
|
|
Policy Change
|
|
- Audit Policy Change $m_audit_policy_change
|
|
- Volume: Low
|
|
- Default settings: Success
|
|
- Recommended settings: Success and Failure
|
|
- Authentication Policy Change $m_authentication_policy_change
|
|
- Volume: Low
|
|
- Default settings: Success
|
|
- Recommended settings: Success and Failure
|
|
- Authorization Policy Change $m_authorization_policy_change
|
|
- Volume: Medium to High
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Unknown. Needs testing.
|
|
- Filtering Platform Policy Change $m_filtering_platform_policy_change
|
|
- Volume: Low
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Unknown, Needs testing.
|
|
- MPSSVC Rule-Level Policy Change $m_mpssvc_rule_level_policy_change
|
|
- Volume: Low
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Unknown. Needs testing.
|
|
- Other Policy Change Events $m_other_policy_change_events
|
|
- Volume: Low
|
|
- Default settings: No Auditing
|
|
- Recommended settings: No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.)
|
|
Privilege Use
|
|
- Non Sensitive Use Events $m_non_sensitive_use_events
|
|
- Volume: Very high
|
|
- Default settings: No Auditing
|
|
- Recommended settings: No Auditing
|
|
- Sensitive Privilege Use $m_sensitive_privilege_use
|
|
- Volume: High
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure However, this may be too noisy.
|
|
System
|
|
- Other System Events $m_other_system_events
|
|
- Volume: Low
|
|
- Default settings: Success and Failure
|
|
- Recommended settings: Unknown. Needs testing.
|
|
- Security State Change $m_security_state_change
|
|
- Volume: Low
|
|
- Default settings: Success
|
|
- Recommended settings: Success and Failure
|
|
- Security System Extension $m_security_system_extension
|
|
- Volume: Low, but more on DCs
|
|
- Default settings: No Auditing
|
|
- Recommended settings: Success and Failure
|
|
- System Integrity $m_system_integrity
|
|
- Volume: Low
|
|
- Default settings: Sucess, Failure
|
|
- Recommended settings: Success and Failure
|
|
"@
|
|
|
|
$msgLines = $msg -split "`n"
|
|
foreach ($line in $msgLines) {
|
|
if ($line -match '.*disabled.*\(') {
|
|
$parts = $line -split '(disabled.*\))'
|
|
foreach ($part in $parts) {
|
|
if ($part -match '.*disabled.*$') {
|
|
Write-Host -NoNewline $part -ForegroundColor Red
|
|
} else {
|
|
Write-Host -NoNewline $part
|
|
}
|
|
}
|
|
Write-Host ""
|
|
} elseif ($line -match '.*enabled.*\(') {
|
|
Write-Host $line -ForegroundColor Green
|
|
} else {
|
|
Write-Host $line
|
|
}
|
|
}
|
|
Write-Host ""
|
|
} |