vibecoding/E8-CAT
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Tomas Kracmar
2025-09-02 16:42:12 +02:00
parent 053e60fc25
commit cfde980ec3
10 changed files with 727 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
.DS_Store

198
E8-CAT.ps1 Normal file
View File

@@ -0,0 +1,198 @@
[CmdletBinding()]
param(
[ValidateSet('ML1','ML2','ML3','All')] [string]$Profile = 'ML1',
[string]$RulesPath = ".\rules",
[string]$ProfilesPath = ".\profiles",
[string]$OutDir = ".\out"
)
function New-Result($rule,$status,$evidence){
[pscustomobject]@{
RuleId = $rule.id
Title = $rule.title
Strategy = $rule.strategy
Level = $Profile
Status = $status # PASS / FAIL / SKIPPED / N/A / ERROR
Evidence = $evidence
Timestamp = (Get-Date).ToString("s")
}
}
function Test-Registry {
param($r)
$root = if ($r.scope -eq 'HKCU') { 'HKCU:' } else { 'HKLM:' }
$path = if ($r.path.StartsWith('\')) { Join-Path $root $r.path.Substring(1) } else { Join-Path $root $r.path }
try {
if (-not (Test-Path $path)) { return @{ok=$false; ev="Path missing: $path"} }
$prop = Get-ItemProperty -Path $path -ErrorAction Stop
if (-not $r.name -or $r.name -eq '') { return @{ ok=$true; ev="Key exists: $path" } }
if ($null -eq $prop.$($r.name)) { return @{ok=$false; ev="Value missing: $path\$($r.name)"} }
$val = $prop.$($r.name)
$op = if ($r.op) { $r.op } else { 'eq' }
$ok = $false
switch ($op) {
'eq' { $ok = ([string]$val -eq [string]$r.expected) }
'ne' { $ok = ([string]$val -ne [string]$r.expected) }
'in' { $ok = ($r.expected -contains ([string]$val)) }
'ge' { $ok = ([double]$val -ge [double]$r.expected) }
'le' { $ok = ([double]$val -le [double]$r.expected) }
default { $ok = ([string]$val -eq [string]$r.expected) }
}
@{ ok=$ok; ev="[$path] $($r.name)=$val (expect $op $($r.expected))" }
} catch { @{ ok=$false; ev=("Error: {0}" -f $_.Exception.Message) } }
}
function Test-File {
param($r)
$exists = Test-Path $r.path
$ok = if ($r.op -eq 'absent') { -not $exists } else { $exists }
@{ ok=$ok; ev="$($r.path) Exists=$exists (expect $($r.op))" }
}
function Test-Command {
param($r)
try {
$expected = if ($null -ne $r.expectedExitCode) { [int]$r.expectedExitCode } else { 0 }
$p = Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -NonInteractive -Command `$ErrorActionPreference='Stop'; $($r.command)" -NoNewWindow -PassThru -Wait
$ok = ($p.ExitCode -eq $expected)
@{ ok=$ok; ev=("ExitCode={0} (expect {1})" -f $p.ExitCode, $expected) }
} catch { @{ ok=$false; ev=("Error: {0}" -f $_.Exception.Message) } }
}
function Test-ScriptBlock {
param($r)
try {
$sb = [ScriptBlock]::Create($r.script)
$res = & $sb
if ($null -eq $res) { return @{ ok=$false; ev="Script returned `$null (treat as SKIPPED)"; skipped=$true } }
$ok = [bool]$res
@{ ok=$ok; ev=("Script returned: {0}. Expected $true; return $null to SKIP." -f $res) }
} catch { @{ ok=$false; ev=("Error: {0}" -f $_.Exception.Message) } }
}
function Test-ADOptional {
param($r)
if (-not (Get-Module -ListAvailable ActiveDirectory)) {
return @{ ok=$false; ev="Skipped (ActiveDirectory module not found)"; skipped=$true }
}
try {
$sb = [ScriptBlock]::Create($r.script)
$res = & $sb
if ($null -eq $res) { return @{ ok=$false; ev="Script returned `$null (treat as SKIPPED)"; skipped=$true } }
$ok = [bool]$res
@{ ok=$ok; ev=("Script returned: {0}. Expected $true; return $null to SKIP." -f $res) }
} catch { @{ ok=$false; ev=("Error: {0}" -f $_.Exception.Message) } }
}
# Load rules
$ruleFiles = Get-ChildItem -Path $RulesPath -Filter *.json -File
$allRules = @()
foreach ($f in $ruleFiles) {
$data = Get-Content $f.FullName -Raw | ConvertFrom-Json
if ($data -is [System.Array]) { $allRules += $data } else { $allRules += ,$data }
}
# Load profile object unless All
$ProfileObj = $null
if ($Profile -ne 'All') {
$profileFile = Join-Path $ProfilesPath ("{0}.json" -f $Profile.ToLower())
if (-not (Test-Path $profileFile)) { throw "Profile not found: $profileFile" }
$ProfileObj = Get-Content $profileFile -Raw | ConvertFrom-Json
}
# Evaluate (single level or all levels)
$results = New-Object System.Collections.Generic.List[object]
# Determine rule set
$rules = $allRules
if ($Profile -ne 'All' -and $ProfileObj -and ($ProfileObj.PSObject.Properties.Name -contains 'includeRuleIds') -and $ProfileObj.includeRuleIds) {
$rules = @()
foreach ($r in $allRules) { if ($ProfileObj.includeRuleIds -contains $r.id) { $rules += ,$r } }
}
$levelsToRun = if ($Profile -eq 'All') { @('ML1','ML2','ML3') } else { @($Profile) }
$levelOrder = @{ ML1=1; ML2=2; ML3=3 }
foreach ($runLevel in $levelsToRun) {
foreach ($rule in $rules) {
switch ($rule.type) {
'registry' { $r = Test-Registry $rule }
'file' { $r = Test-File $rule }
'command' { $r = Test-Command $rule }
'scriptblock' { $r = Test-ScriptBlock $rule }
'ad-optional' { $r = Test-ADOptional $rule }
default { $r = @{ ok=$false; ev=("Unknown type {0}" -f $rule.type) } }
}
$applies = $true
if ($rule.minLevel) { $applies = ($levelOrder[$runLevel] -ge $levelOrder[$rule.minLevel]) }
if ($r.skipped) { $status = 'SKIPPED' }
else {
if (-not $applies) { $status = 'N/A' }
else { if ($r.ok) { $status = 'PASS' } else { $status = 'FAIL' } }
}
$results.Add([pscustomobject]@{
RuleId = $rule.id
Title = $rule.title
Strategy = $rule.strategy
Level = $runLevel
Status = $status
Evidence = $r.ev
Timestamp= (Get-Date).ToString("s")
})
}
}
# Score per level (avoid $pass name to prevent any oddities)
$levelScores = @{}
foreach ($lvl in $levelsToRun) {
$scored = $results | Where-Object { $_.Level -eq $lvl -and $_.Status -in 'PASS','FAIL' }
$passCount = ($scored | Where-Object { $_.Status -eq 'PASS' }).Count
$failCount = ($scored | Where-Object { $_.Status -eq 'FAIL' }).Count
$totalCount = [math]::Max(1, $scored.Count)
$pct = [math]::Round(100 * $passCount / $totalCount, 1)
$levelScores[$lvl] = @{ Pass=$passCount; Fail=$failCount; Total=$totalCount; Pct=$pct }
Write-Host ("E8-CAT {0} score: {1}% (PASS={2} / FAIL={3} / Total={4})" -f $lvl,$pct,$passCount,$failCount,$totalCount)
}
New-Item -ItemType Directory -Force -Path $OutDir | Out-Null
$ts = (Get-Date).ToString("yyyyMMdd-HHmmss")
$jsonPath = Join-Path $OutDir ("E8CAT-{0}-{1}.json" -f $Profile,$ts)
$csvPath = Join-Path $OutDir ("E8CAT-{0}-{1}.csv" -f $Profile,$ts)
$htmlPath = Join-Path $OutDir ("E8CAT-{0}-{1}.html" -f $Profile,$ts)
$results | ConvertTo-Json -Depth 6 | Set-Content -Path $jsonPath -Encoding UTF8
$results | Export-Csv -NoTypeInformation -Path $csvPath -Encoding UTF8
$summary = ''
foreach ($k in ('ML1','ML2','ML3')) {
if ($levelScores.ContainsKey($k)) {
$s = $levelScores[$k]
$summary += ("<li><strong>{0}</strong>: {1}% (PASS {2} / FAIL {3} / Total {4})</li>" -f $k,$s.Pct,$s.Pass,$s.Fail,$s.Total)
}
}
$summary = "<ul>" + $summary + "</ul>"
$rows = $results | ForEach-Object {
"<tr><td>$($_.RuleId)</td><td>$($_.Strategy)</td><td>$($_.Title)</td><td>$($_.Level)</td><td>$($_.Status)</td><td><pre>$($_.Evidence -replace '<','&lt;')</pre></td></tr>"
} | Out-String
@"
<!doctype html><html><head><meta charset="utf-8"><title>E8-CAT $Profile</title>
<style>body{font-family:Segoe UI,Arial;margin:24px}table{border-collapse:collapse;width:100%}th,td{border:1px solid #ddd;padding:8px}th{background:#f5f5f5;text-align:left}td pre{white-space:pre-wrap}</style>
</head><body>
<h1>E8-CAT - Profile $Profile</h1>
<h3>Scores</h3>
$summary
<table><thead><tr><th>RuleId</th><th>Strategy</th><th>Title</th><th>Level</th><th>Status</th><th>Evidence</th></tr></thead>
<tbody>
$rows
</tbody></table>
</body></html>
"@ | Set-Content -Path $htmlPath -Encoding UTF8
Write-Host "Saved: $jsonPath"
Write-Host "Saved: $csvPath"
Write-Host "Saved: $htmlPath"

111
README.md
View File

@@ -1,3 +1,110 @@
# E8-CAT
# E8-CAT Essential Eight Compliance Assessment Tool
Essential Eight compliance assessment tool
`E8-CAT` is a lightweight PowerShell-based compliance scanner, similar in spirit to CIS-CAT, designed to check Windows workstations and servers against the [ACSC Essential Eight](https://www.cyber.gov.au/acsc/view-all-content/essential-eight) hardening strategies.
This build includes rules for **Maturity Levels 13** and can report on all levels in a single run.
---
## Features
- **Profiles:** Run checks for a specific level (`ML1`, `ML2`, `ML3`) or all at once (`All`).
- **All-level mode:** With `-Profile All`, the scanner evaluates ML13 in one pass and reports per-level results and scores.
- **Per-rule applicability:** Rules know their minimum level. If they dont apply to a level, theyre marked **N/A**.
- **Evidence-based:** Each rule outputs evidence showing registry values, feature state, or script results.
- **Skip logic:** If a product isnt installed (e.g., Chrome, Edge, Firefox, IE on Win11), the rule reports **SKIPPED**.
- **Cross-scope checks:** Registry policies are checked under both **HKLM** and **HKCU**.
- **Output formats:** JSON, CSV, and HTML reports saved under `.\out\`.
- **PowerShell 5.1 compatible:** Works on standard Windows builds (no modern operators like `??`).
---
## Usage
```powershell
Set-ExecutionPolicy Bypass -Scope Process -Force
# Navigate into the E8-CAT folder
Set-Location .\E8-CAT
# Run all levels in one pass
.\E8-CAT.ps1 -Profile All
# Run a specific maturity level
.\E8-CAT.ps1 -Profile ML1
.\E8-CAT.ps1 -Profile ML2
.\E8-CAT.ps1 -Profile ML3
```
---
## Outputs
Results are written to `.\out` with timestamped filenames:
- **CSV** Easy import into Excel or SIEM tools
- **JSON** Machine-readable for pipelines and dashboards
- **HTML** Human-friendly report with tables and score summaries
Example output files:
```
.\out\E8CAT-ML1-20250902-153936.csv
.\out\E8CAT-ML1-20250902-153936.json
.\out\E8CAT-ML1-20250902-153936.html
```
---
## Rule Coverage
Rules are organised by strategy:
- **RM Restrict Macros:**
- Office macro settings (Word/Excel/PowerPoint/Outlook, Office 15.0 & 16.0)
- Block macros from the Internet
- Macro runtime AV scanning
- Trusted Publisher enforcement (ML3)
- **AH Application Hardening:**
- Internet Explorer 11 feature disabled (skips on Win11)
- Java browser plugin absent
- Microsoft Edge SmartScreen + download restrictions
- Chrome SafeBrowsing, download restrictions, extension blocklist
- Firefox enterprise policy presence
- Windows SmartScreen (multiple policy keys)
- **AC Application Control:**
- AppLocker policy present and enforced (not AuditOnly)
- Windows Defender Application Control (WDAC) policy present
- Software Restriction Policies present
- **RA Restrict Admin Privileges:**
- Built-in Administrator account disabled
- UAC (EnableLUA) enabled
- Local Administrator Password Solution (LAPS) policy present (Windows or legacy)
---
## Rule Semantics
Rules are defined in `.\rules\*.json`. Each rule specifies:
- `id`, `title`, `strategy`, `type`, `script` (or registry/command parameters)
- `minLevel` (ML1, ML2, ML3)
**Return values in rules:**
- `$true`**PASS**
- `$false`**FAIL**
- `$null`**SKIPPED**
---
## Profiles
Profiles are stored under `.\profiles\ml1.json`, `ml2.json`, `ml3.json`. They contain the rule IDs included at each level.
When running `-Profile All`, these profiles are ignored and all rules are checked, with results shown for each level.
---
## Example Run
```powershell
PS C:\E8-CAT> .\E8-CAT.ps1 -Profile All
E8-CAT ML1 score: 78.9% (PASS=15 / FAIL=4 / Total=19)
E8-CAT ML2 score: 65.0% (PASS=13 / FAIL=7 / Total=20)
E8-CAT ML3 score: 42.9% (PASS=9 / FAIL=12 / Total=21)
Saved: .\out\E8CAT-All-20250902-161413.json
Saved: .\out\E8CAT-All-20250902-161413.csv
Saved: .\out\E8CAT-All-20250902-161413.html
```

41
profiles/ml1.json Normal file
View File

@@ -0,0 +1,41 @@
{
"name": "ML1",
"includeRuleIds": [
"RM-01-VBAWarnings-Word-160",
"RM-02-BlockInternet-Word-160",
"RM-01-VBAWarnings-Excel-160",
"RM-02-BlockInternet-Excel-160",
"RM-01-VBAWarnings-PowerPoint-160",
"RM-02-BlockInternet-PowerPoint-160",
"RM-01-VBAWarnings-Outlook-160",
"RM-02-BlockInternet-Outlook-160",
"RM-01-VBAWarnings-Word-150",
"RM-02-BlockInternet-Word-150",
"RM-01-VBAWarnings-Excel-150",
"RM-02-BlockInternet-Excel-150",
"RM-01-VBAWarnings-PowerPoint-150",
"RM-02-BlockInternet-PowerPoint-150",
"RM-01-VBAWarnings-Outlook-150",
"RM-02-BlockInternet-Outlook-150",
"RM-03-MacroRuntimeScan-160",
"RM-03-MacroRuntimeScan-150",
"RM-TRUSTED-PUBLISHERS-160",
"RM-TRUSTED-PUBLISHERS-150",
"AH-IE11-Feature-Disabled",
"AH-Java-Plugin-Absent",
"AH-Edge-SmartScreen",
"AH-Edge-DownloadRestrictions",
"AH-Chrome-SafeBrowsing",
"AH-Chrome-DownloadRestrictions",
"AH-Chrome-Ext-Blocklist",
"AH-Firefox-PolicyKey",
"AH-Windows-SmartScreen",
"AC-01-AppLocker",
"AC-AppLocker-Enforced",
"AC-02-WDAC",
"AC-03-SRP",
"RA-Local-Administrator-Disabled",
"RA-UAC-Enabled",
"RA-LAPS-PolicyPresent"
]
}

41
profiles/ml2.json Normal file
View File

@@ -0,0 +1,41 @@
{
"name": "ML2",
"includeRuleIds": [
"RM-01-VBAWarnings-Word-160",
"RM-02-BlockInternet-Word-160",
"RM-01-VBAWarnings-Excel-160",
"RM-02-BlockInternet-Excel-160",
"RM-01-VBAWarnings-PowerPoint-160",
"RM-02-BlockInternet-PowerPoint-160",
"RM-01-VBAWarnings-Outlook-160",
"RM-02-BlockInternet-Outlook-160",
"RM-01-VBAWarnings-Word-150",
"RM-02-BlockInternet-Word-150",
"RM-01-VBAWarnings-Excel-150",
"RM-02-BlockInternet-Excel-150",
"RM-01-VBAWarnings-PowerPoint-150",
"RM-02-BlockInternet-PowerPoint-150",
"RM-01-VBAWarnings-Outlook-150",
"RM-02-BlockInternet-Outlook-150",
"RM-03-MacroRuntimeScan-160",
"RM-03-MacroRuntimeScan-150",
"RM-TRUSTED-PUBLISHERS-160",
"RM-TRUSTED-PUBLISHERS-150",
"AH-IE11-Feature-Disabled",
"AH-Java-Plugin-Absent",
"AH-Edge-SmartScreen",
"AH-Edge-DownloadRestrictions",
"AH-Chrome-SafeBrowsing",
"AH-Chrome-DownloadRestrictions",
"AH-Chrome-Ext-Blocklist",
"AH-Firefox-PolicyKey",
"AH-Windows-SmartScreen",
"AC-01-AppLocker",
"AC-AppLocker-Enforced",
"AC-02-WDAC",
"AC-03-SRP",
"RA-Local-Administrator-Disabled",
"RA-UAC-Enabled",
"RA-LAPS-PolicyPresent"
]
}

41
profiles/ml3.json Normal file
View File

@@ -0,0 +1,41 @@
{
"name": "ML3",
"includeRuleIds": [
"RM-01-VBAWarnings-Word-160",
"RM-02-BlockInternet-Word-160",
"RM-01-VBAWarnings-Excel-160",
"RM-02-BlockInternet-Excel-160",
"RM-01-VBAWarnings-PowerPoint-160",
"RM-02-BlockInternet-PowerPoint-160",
"RM-01-VBAWarnings-Outlook-160",
"RM-02-BlockInternet-Outlook-160",
"RM-01-VBAWarnings-Word-150",
"RM-02-BlockInternet-Word-150",
"RM-01-VBAWarnings-Excel-150",
"RM-02-BlockInternet-Excel-150",
"RM-01-VBAWarnings-PowerPoint-150",
"RM-02-BlockInternet-PowerPoint-150",
"RM-01-VBAWarnings-Outlook-150",
"RM-02-BlockInternet-Outlook-150",
"RM-03-MacroRuntimeScan-160",
"RM-03-MacroRuntimeScan-150",
"RM-TRUSTED-PUBLISHERS-160",
"RM-TRUSTED-PUBLISHERS-150",
"AH-IE11-Feature-Disabled",
"AH-Java-Plugin-Absent",
"AH-Edge-SmartScreen",
"AH-Edge-DownloadRestrictions",
"AH-Chrome-SafeBrowsing",
"AH-Chrome-DownloadRestrictions",
"AH-Chrome-Ext-Blocklist",
"AH-Firefox-PolicyKey",
"AH-Windows-SmartScreen",
"AC-01-AppLocker",
"AC-AppLocker-Enforced",
"AC-02-WDAC",
"AC-03-SRP",
"RA-Local-Administrator-Disabled",
"RA-UAC-Enabled",
"RA-LAPS-PolicyPresent"
]
}

34
rules/ac.json Normal file
View File

@@ -0,0 +1,34 @@
[
{
"id": "AC-01-AppLocker",
"title": "AppLocker policy present",
"strategy": "AC",
"type": "scriptblock",
"script": "try { (Get-AppLockerPolicy -Effective).RuleCollections.Count -gt 0 } catch { $false }",
"minLevel": "ML1"
},
{
"id": "AC-AppLocker-Enforced",
"title": "AppLocker enforcement not AuditOnly for at least one collection",
"strategy": "AC",
"type": "scriptblock",
"script": "(Get-AppLockerPolicy -Effective -ErrorAction SilentlyContinue).RuleCollections | Where-Object { $_.EnforcementMode -and $_.EnforcementMode -ne 'AuditOnly' } | Measure-Object | ForEach-Object { $_.Count -gt 0 }",
"minLevel": "ML1"
},
{
"id": "AC-02-WDAC",
"title": "WDAC policy key present",
"strategy": "AC",
"type": "scriptblock",
"script": "Test-Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\CI\\Policy'",
"minLevel": "ML1"
},
{
"id": "AC-03-SRP",
"title": "Software Restriction Policies present",
"strategy": "AC",
"type": "scriptblock",
"script": "Test-Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers'",
"minLevel": "ML1"
}
]

74
rules/ah.json Normal file
View File

@@ -0,0 +1,74 @@
[
{
"id": "AH-IE11-Feature-Disabled",
"title": "Internet Explorer 11 feature is disabled/removed (skip on Win11)",
"strategy": "AH",
"type": "scriptblock",
"script": "$f=Get-WindowsOptionalFeature -Online -FeatureName Internet-Explorer-Optional-amd64 -ErrorAction SilentlyContinue; if($null -eq $f){ return $null }; $f.State -in @('Disabled','Removed')",
"minLevel": "ML1"
},
{
"id": "AH-Java-Plugin-Absent",
"title": "Legacy Java browser plugin not present",
"strategy": "AH",
"type": "scriptblock",
"script": "if( (Test-Path 'HKLM:\\SOFTWARE\\JavaSoft\\Java Plug-in') -or (Test-Path 'HKLM:\\SOFTWARE\\Oracle\\JavaDeploy\\WebDeployJava') ){ return $false } else { return $true }",
"minLevel": "ML1"
},
{
"id": "AH-Edge-SmartScreen",
"title": "Microsoft Edge SmartScreen enabled via policy",
"strategy": "AH",
"type": "scriptblock",
"script": "$edge=@('C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe','C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe') | Where-Object {Test-Path $_}; if(-not $edge){ return $null }; $keys=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Edge','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Edge','HKLM:\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\Browser'); foreach($k in $keys){ if(Test-Path $k){ try{ $val=(Get-ItemProperty -Path $k -ErrorAction Stop).SmartScreenEnabled; if($null -ne $val -and [int]$val -ge 1){ return $true } } catch{} } } $false",
"minLevel": "ML1"
},
{
"id": "AH-Edge-DownloadRestrictions",
"title": "Edge download restrictions present",
"strategy": "AH",
"type": "scriptblock",
"script": "$edge=@('C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe','C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe') | Where-Object {Test-Path $_}; if(-not $edge){ return $null }; foreach($k in @('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Edge','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Edge')){ if(Test-Path $k){ $v=(Get-ItemProperty -Path $k -ErrorAction SilentlyContinue).DownloadRestrictions; if($null -ne $v -and [int]$v -ge 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "AH-Chrome-SafeBrowsing",
"title": "Chrome SafeBrowsing policy configured",
"strategy": "AH",
"type": "scriptblock",
"script": "$chrome=@('C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe','C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe') | Where-Object {Test-Path $_}; if(-not $chrome){ return $null }; foreach($k in @('HKLM:\\SOFTWARE\\Policies\\Google\\Chrome','HKCU:\\SOFTWARE\\Policies\\Google\\Chrome')){ if(Test-Path $k){ $v=(Get-ItemProperty -Path $k -ErrorAction SilentlyContinue).SafeBrowsingProtectionLevel; if($null -ne $v -and [int]$v -ge 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "AH-Chrome-DownloadRestrictions",
"title": "Chrome download restrictions present",
"strategy": "AH",
"type": "scriptblock",
"script": "$chrome=@('C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe','C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe') | Where-Object {Test-Path $_}; if(-not $chrome){ return $null }; foreach($k in @('HKLM:\\SOFTWARE\\Policies\\Google\\Chrome','HKCU:\\SOFTWARE\\Policies\\Google\\Chrome')){ if(Test-Path $k){ $v=(Get-ItemProperty -Path $k -ErrorAction SilentlyContinue).DownloadRestrictions; if($null -ne $v -and [int]$v -ge 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "AH-Chrome-Ext-Blocklist",
"title": "Chrome extension install blocklist configured",
"strategy": "AH",
"type": "scriptblock",
"script": "if(-not (Test-Path 'HKLM:\\SOFTWARE\\Policies\\Google\\Chrome') -and -not (Test-Path 'HKCU:\\SOFTWARE\\Policies\\Google\\Chrome')){ return $null } $k='HKLM:\\SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallBlocklist'; $k2='HKCU:\\SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallBlocklist'; if(Test-Path $k -or Test-Path $k2){ return $true } $false",
"minLevel": "ML1"
},
{
"id": "AH-Firefox-PolicyKey",
"title": "Firefox enterprise policies present",
"strategy": "AH",
"type": "scriptblock",
"script": "$ff=@('C:\\Program Files\\Mozilla Firefox\\firefox.exe','C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe') | Where-Object {Test-Path $_}; if(-not $ff){ return $null }; if( (Test-Path 'HKLM:\\SOFTWARE\\Policies\\Mozilla\\Firefox') -or (Test-Path 'HKCU:\\SOFTWARE\\Policies\\Mozilla\\Firefox') ){ return $true } else { return $false }",
"minLevel": "ML1"
},
{
"id": "AH-Windows-SmartScreen",
"title": "Windows SmartScreen enabled by policy",
"strategy": "AH",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System','HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer'); foreach($p in $paths){ if(Test-Path $p){ $prop=Get-ItemProperty -Path $p -ErrorAction SilentlyContinue; if($null -ne $prop.EnableSmartScreen -and [int]$prop.EnableSmartScreen -eq 1){ return $true }; if($null -ne $prop.SmartScreenEnabled -and [int]$prop.SmartScreenEnabled -ge 1){ return $true } } } $false",
"minLevel": "ML1"
}
]

26
rules/ra.json Normal file
View File

@@ -0,0 +1,26 @@
[
{
"id": "RA-Local-Administrator-Disabled",
"title": "Built-in Administrator account is disabled",
"strategy": "RA",
"type": "scriptblock",
"script": "$u=Get-LocalUser -Name 'Administrator' -ErrorAction SilentlyContinue; if($null -eq $u){ return $true }; return (-not $u.Enabled)",
"minLevel": "ML1"
},
{
"id": "RA-UAC-Enabled",
"title": "User Account Control (EnableLUA) enabled",
"strategy": "RA",
"type": "scriptblock",
"script": "try { $v=(Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' -ErrorAction Stop).EnableLUA; if($null -ne $v -and [int]$v -eq 1){ return $true } else { return $false } } catch { return $false }",
"minLevel": "ML1"
},
{
"id": "RA-LAPS-PolicyPresent",
"title": "Windows LAPS (or legacy LAPS) policy present",
"strategy": "RA",
"type": "scriptblock",
"script": "if( (Test-Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\LAPS') -or (Test-Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft Services\\AdmPwd') ){ return $true } else { return $false }",
"minLevel": "ML1"
}
]

162
rules/rm.json Normal file
View File

@@ -0,0 +1,162 @@
[
{
"id": "RM-01-VBAWarnings-Word-160",
"title": "Word macros disabled by policy (VBAWarnings=4) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-Word-160",
"title": "Word: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-01-VBAWarnings-Excel-160",
"title": "Excel macros disabled by policy (VBAWarnings=4) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-Excel-160",
"title": "Excel: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-01-VBAWarnings-PowerPoint-160",
"title": "PowerPoint macros disabled by policy (VBAWarnings=4) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-PowerPoint-160",
"title": "PowerPoint: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-01-VBAWarnings-Outlook-160",
"title": "Outlook macros disabled by policy (VBAWarnings=4) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-Outlook-160",
"title": "Outlook: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-01-VBAWarnings-Word-150",
"title": "Word macros disabled by policy (VBAWarnings=4) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-Word-150",
"title": "Word: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-01-VBAWarnings-Excel-150",
"title": "Excel macros disabled by policy (VBAWarnings=4) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-Excel-150",
"title": "Excel: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-01-VBAWarnings-PowerPoint-150",
"title": "PowerPoint macros disabled by policy (VBAWarnings=4) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-PowerPoint-150",
"title": "PowerPoint: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-01-VBAWarnings-Outlook-150",
"title": "Outlook macros disabled by policy (VBAWarnings=4) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-Outlook-150",
"title": "Outlook: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-03-MacroRuntimeScan-160",
"title": "Macro runtime AV scanning configured (Office 16.0 common security)",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Common\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Common\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).MacroRuntimeScanScope; if($null -ne $v -and @('1','2') -contains ([string]$v)){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-03-MacroRuntimeScan-150",
"title": "Macro runtime AV scanning configured (Office 15.0 common security)",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Common\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Common\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).MacroRuntimeScanScope; if($null -ne $v -and @('1','2') -contains ([string]$v)){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-TRUSTED-PUBLISHERS-160",
"title": "Trusted Publishers enforcement present (Office 16.0)",
"strategy": "RM",
"type": "scriptblock",
"script": "$p='HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Common\\Security'; if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).TrustedPublisher; if($null -ne $v -and [int]$v -eq 1){ return $true } } $false",
"minLevel": "ML3"
},
{
"id": "RM-TRUSTED-PUBLISHERS-150",
"title": "Trusted Publishers enforcement present (Office 15.0)",
"strategy": "RM",
"type": "scriptblock",
"script": "$p='HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Common\\Security'; if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).TrustedPublisher; if($null -ne $v -and [int]$v -eq 1){ return $true } } $false",
"minLevel": "ML3"
}
]