E8-CAT/rules/ac.json

[
  {
    "id": "AC-01-AppLocker",
    "title": "AppLocker policy present",
    "strategy": "AC",
    "type": "scriptblock",
    "script": "try { (Get-AppLockerPolicy -Effective).RuleCollections.Count -gt 0 } catch { $false }",
    "minLevel": "ML1"
  },
  {
    "id": "AC-AppLocker-Enforced",
    "title": "AppLocker enforcement not AuditOnly for at least one collection",
    "strategy": "AC",
    "type": "scriptblock",
    "script": "(Get-AppLockerPolicy -Effective -ErrorAction SilentlyContinue).RuleCollections | Where-Object { $_.EnforcementMode -and $_.EnforcementMode -ne 'AuditOnly' } | Measure-Object | ForEach-Object { $_.Count -gt 0 }",
    "minLevel": "ML1"
  },
  {
    "id": "AC-02-WDAC",
    "title": "WDAC policy key present",
    "strategy": "AC",
    "type": "scriptblock",
    "script": "Test-Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\CI\\Policy'",
    "minLevel": "ML1"
  },
  {
    "id": "AC-03-SRP",
    "title": "Software Restriction Policies present",
    "strategy": "AC",
    "type": "scriptblock",
    "script": "Test-Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers'",
    "minLevel": "ML1"
  }
]