Initial commit
This commit is contained in:
34
rules/ac.json
Normal file
34
rules/ac.json
Normal file
@@ -0,0 +1,34 @@
|
||||
[
|
||||
{
|
||||
"id": "AC-01-AppLocker",
|
||||
"title": "AppLocker policy present",
|
||||
"strategy": "AC",
|
||||
"type": "scriptblock",
|
||||
"script": "try { (Get-AppLockerPolicy -Effective).RuleCollections.Count -gt 0 } catch { $false }",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "AC-AppLocker-Enforced",
|
||||
"title": "AppLocker enforcement not AuditOnly for at least one collection",
|
||||
"strategy": "AC",
|
||||
"type": "scriptblock",
|
||||
"script": "(Get-AppLockerPolicy -Effective -ErrorAction SilentlyContinue).RuleCollections | Where-Object { $_.EnforcementMode -and $_.EnforcementMode -ne 'AuditOnly' } | Measure-Object | ForEach-Object { $_.Count -gt 0 }",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "AC-02-WDAC",
|
||||
"title": "WDAC policy key present",
|
||||
"strategy": "AC",
|
||||
"type": "scriptblock",
|
||||
"script": "Test-Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\CI\\Policy'",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "AC-03-SRP",
|
||||
"title": "Software Restriction Policies present",
|
||||
"strategy": "AC",
|
||||
"type": "scriptblock",
|
||||
"script": "Test-Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers'",
|
||||
"minLevel": "ML1"
|
||||
}
|
||||
]
|
||||
74
rules/ah.json
Normal file
74
rules/ah.json
Normal file
@@ -0,0 +1,74 @@
|
||||
[
|
||||
{
|
||||
"id": "AH-IE11-Feature-Disabled",
|
||||
"title": "Internet Explorer 11 feature is disabled/removed (skip on Win11)",
|
||||
"strategy": "AH",
|
||||
"type": "scriptblock",
|
||||
"script": "$f=Get-WindowsOptionalFeature -Online -FeatureName Internet-Explorer-Optional-amd64 -ErrorAction SilentlyContinue; if($null -eq $f){ return $null }; $f.State -in @('Disabled','Removed')",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "AH-Java-Plugin-Absent",
|
||||
"title": "Legacy Java browser plugin not present",
|
||||
"strategy": "AH",
|
||||
"type": "scriptblock",
|
||||
"script": "if( (Test-Path 'HKLM:\\SOFTWARE\\JavaSoft\\Java Plug-in') -or (Test-Path 'HKLM:\\SOFTWARE\\Oracle\\JavaDeploy\\WebDeployJava') ){ return $false } else { return $true }",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "AH-Edge-SmartScreen",
|
||||
"title": "Microsoft Edge SmartScreen enabled via policy",
|
||||
"strategy": "AH",
|
||||
"type": "scriptblock",
|
||||
"script": "$edge=@('C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe','C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe') | Where-Object {Test-Path $_}; if(-not $edge){ return $null }; $keys=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Edge','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Edge','HKLM:\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\Browser'); foreach($k in $keys){ if(Test-Path $k){ try{ $val=(Get-ItemProperty -Path $k -ErrorAction Stop).SmartScreenEnabled; if($null -ne $val -and [int]$val -ge 1){ return $true } } catch{} } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "AH-Edge-DownloadRestrictions",
|
||||
"title": "Edge download restrictions present",
|
||||
"strategy": "AH",
|
||||
"type": "scriptblock",
|
||||
"script": "$edge=@('C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe','C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe') | Where-Object {Test-Path $_}; if(-not $edge){ return $null }; foreach($k in @('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Edge','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Edge')){ if(Test-Path $k){ $v=(Get-ItemProperty -Path $k -ErrorAction SilentlyContinue).DownloadRestrictions; if($null -ne $v -and [int]$v -ge 1){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "AH-Chrome-SafeBrowsing",
|
||||
"title": "Chrome SafeBrowsing policy configured",
|
||||
"strategy": "AH",
|
||||
"type": "scriptblock",
|
||||
"script": "$chrome=@('C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe','C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe') | Where-Object {Test-Path $_}; if(-not $chrome){ return $null }; foreach($k in @('HKLM:\\SOFTWARE\\Policies\\Google\\Chrome','HKCU:\\SOFTWARE\\Policies\\Google\\Chrome')){ if(Test-Path $k){ $v=(Get-ItemProperty -Path $k -ErrorAction SilentlyContinue).SafeBrowsingProtectionLevel; if($null -ne $v -and [int]$v -ge 1){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "AH-Chrome-DownloadRestrictions",
|
||||
"title": "Chrome download restrictions present",
|
||||
"strategy": "AH",
|
||||
"type": "scriptblock",
|
||||
"script": "$chrome=@('C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe','C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe') | Where-Object {Test-Path $_}; if(-not $chrome){ return $null }; foreach($k in @('HKLM:\\SOFTWARE\\Policies\\Google\\Chrome','HKCU:\\SOFTWARE\\Policies\\Google\\Chrome')){ if(Test-Path $k){ $v=(Get-ItemProperty -Path $k -ErrorAction SilentlyContinue).DownloadRestrictions; if($null -ne $v -and [int]$v -ge 1){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "AH-Chrome-Ext-Blocklist",
|
||||
"title": "Chrome extension install blocklist configured",
|
||||
"strategy": "AH",
|
||||
"type": "scriptblock",
|
||||
"script": "if(-not (Test-Path 'HKLM:\\SOFTWARE\\Policies\\Google\\Chrome') -and -not (Test-Path 'HKCU:\\SOFTWARE\\Policies\\Google\\Chrome')){ return $null } $k='HKLM:\\SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallBlocklist'; $k2='HKCU:\\SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallBlocklist'; if(Test-Path $k -or Test-Path $k2){ return $true } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "AH-Firefox-PolicyKey",
|
||||
"title": "Firefox enterprise policies present",
|
||||
"strategy": "AH",
|
||||
"type": "scriptblock",
|
||||
"script": "$ff=@('C:\\Program Files\\Mozilla Firefox\\firefox.exe','C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe') | Where-Object {Test-Path $_}; if(-not $ff){ return $null }; if( (Test-Path 'HKLM:\\SOFTWARE\\Policies\\Mozilla\\Firefox') -or (Test-Path 'HKCU:\\SOFTWARE\\Policies\\Mozilla\\Firefox') ){ return $true } else { return $false }",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "AH-Windows-SmartScreen",
|
||||
"title": "Windows SmartScreen enabled by policy",
|
||||
"strategy": "AH",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System','HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer'); foreach($p in $paths){ if(Test-Path $p){ $prop=Get-ItemProperty -Path $p -ErrorAction SilentlyContinue; if($null -ne $prop.EnableSmartScreen -and [int]$prop.EnableSmartScreen -eq 1){ return $true }; if($null -ne $prop.SmartScreenEnabled -and [int]$prop.SmartScreenEnabled -ge 1){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
}
|
||||
]
|
||||
26
rules/ra.json
Normal file
26
rules/ra.json
Normal file
@@ -0,0 +1,26 @@
|
||||
[
|
||||
{
|
||||
"id": "RA-Local-Administrator-Disabled",
|
||||
"title": "Built-in Administrator account is disabled",
|
||||
"strategy": "RA",
|
||||
"type": "scriptblock",
|
||||
"script": "$u=Get-LocalUser -Name 'Administrator' -ErrorAction SilentlyContinue; if($null -eq $u){ return $true }; return (-not $u.Enabled)",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RA-UAC-Enabled",
|
||||
"title": "User Account Control (EnableLUA) enabled",
|
||||
"strategy": "RA",
|
||||
"type": "scriptblock",
|
||||
"script": "try { $v=(Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' -ErrorAction Stop).EnableLUA; if($null -ne $v -and [int]$v -eq 1){ return $true } else { return $false } } catch { return $false }",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RA-LAPS-PolicyPresent",
|
||||
"title": "Windows LAPS (or legacy LAPS) policy present",
|
||||
"strategy": "RA",
|
||||
"type": "scriptblock",
|
||||
"script": "if( (Test-Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\LAPS') -or (Test-Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft Services\\AdmPwd') ){ return $true } else { return $false }",
|
||||
"minLevel": "ML1"
|
||||
}
|
||||
]
|
||||
162
rules/rm.json
Normal file
162
rules/rm.json
Normal file
@@ -0,0 +1,162 @@
|
||||
[
|
||||
{
|
||||
"id": "RM-01-VBAWarnings-Word-160",
|
||||
"title": "Word macros disabled by policy (VBAWarnings=4) Office 16.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-02-BlockInternet-Word-160",
|
||||
"title": "Word: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-01-VBAWarnings-Excel-160",
|
||||
"title": "Excel macros disabled by policy (VBAWarnings=4) Office 16.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-02-BlockInternet-Excel-160",
|
||||
"title": "Excel: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-01-VBAWarnings-PowerPoint-160",
|
||||
"title": "PowerPoint macros disabled by policy (VBAWarnings=4) Office 16.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-02-BlockInternet-PowerPoint-160",
|
||||
"title": "PowerPoint: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-01-VBAWarnings-Outlook-160",
|
||||
"title": "Outlook macros disabled by policy (VBAWarnings=4) Office 16.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-02-BlockInternet-Outlook-160",
|
||||
"title": "Outlook: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-01-VBAWarnings-Word-150",
|
||||
"title": "Word macros disabled by policy (VBAWarnings=4) Office 15.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-02-BlockInternet-Word-150",
|
||||
"title": "Word: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-01-VBAWarnings-Excel-150",
|
||||
"title": "Excel macros disabled by policy (VBAWarnings=4) Office 15.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-02-BlockInternet-Excel-150",
|
||||
"title": "Excel: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-01-VBAWarnings-PowerPoint-150",
|
||||
"title": "PowerPoint macros disabled by policy (VBAWarnings=4) Office 15.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-02-BlockInternet-PowerPoint-150",
|
||||
"title": "PowerPoint: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-01-VBAWarnings-Outlook-150",
|
||||
"title": "Outlook macros disabled by policy (VBAWarnings=4) Office 15.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-02-BlockInternet-Outlook-150",
|
||||
"title": "Outlook: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-03-MacroRuntimeScan-160",
|
||||
"title": "Macro runtime AV scanning configured (Office 16.0 common security)",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Common\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Common\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).MacroRuntimeScanScope; if($null -ne $v -and @('1','2') -contains ([string]$v)){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-03-MacroRuntimeScan-150",
|
||||
"title": "Macro runtime AV scanning configured (Office 15.0 common security)",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Common\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Common\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).MacroRuntimeScanScope; if($null -ne $v -and @('1','2') -contains ([string]$v)){ return $true } } } $false",
|
||||
"minLevel": "ML1"
|
||||
},
|
||||
{
|
||||
"id": "RM-TRUSTED-PUBLISHERS-160",
|
||||
"title": "Trusted Publishers enforcement present (Office 16.0)",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$p='HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Common\\Security'; if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).TrustedPublisher; if($null -ne $v -and [int]$v -eq 1){ return $true } } $false",
|
||||
"minLevel": "ML3"
|
||||
},
|
||||
{
|
||||
"id": "RM-TRUSTED-PUBLISHERS-150",
|
||||
"title": "Trusted Publishers enforcement present (Office 15.0)",
|
||||
"strategy": "RM",
|
||||
"type": "scriptblock",
|
||||
"script": "$p='HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Common\\Security'; if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).TrustedPublisher; if($null -ne $v -and [int]$v -eq 1){ return $true } } $false",
|
||||
"minLevel": "ML3"
|
||||
}
|
||||
]
|
||||
Reference in New Issue
Block a user