vibecoding/E8-CAT
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cfde980ec3e7a29d862eac3cc0e6fdb13fbbf12e
E8-CAT/rules/rm.json
Tomas Kracmar cfde980ec3 Initial commit
2025-09-02 16:42:12 +02:00

162 lines
11 KiB
JSON
Raw Blame History

[
{
"id": "RM-01-VBAWarnings-Word-160",
"title": "Word macros disabled by policy (VBAWarnings=4) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-Word-160",
"title": "Word: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-01-VBAWarnings-Excel-160",
"title": "Excel macros disabled by policy (VBAWarnings=4) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-Excel-160",
"title": "Excel: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-01-VBAWarnings-PowerPoint-160",
"title": "PowerPoint macros disabled by policy (VBAWarnings=4) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-PowerPoint-160",
"title": "PowerPoint: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-01-VBAWarnings-Outlook-160",
"title": "Outlook macros disabled by policy (VBAWarnings=4) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-Outlook-160",
"title": "Outlook: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-01-VBAWarnings-Word-150",
"title": "Word macros disabled by policy (VBAWarnings=4) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-Word-150",
"title": "Word: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-01-VBAWarnings-Excel-150",
"title": "Excel macros disabled by policy (VBAWarnings=4) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-Excel-150",
"title": "Excel: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-01-VBAWarnings-PowerPoint-150",
"title": "PowerPoint macros disabled by policy (VBAWarnings=4) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-PowerPoint-150",
"title": "PowerPoint: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-01-VBAWarnings-Outlook-150",
"title": "Outlook macros disabled by policy (VBAWarnings=4) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-02-BlockInternet-Outlook-150",
"title": "Outlook: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-03-MacroRuntimeScan-160",
"title": "Macro runtime AV scanning configured (Office 16.0 common security)",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Common\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Common\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).MacroRuntimeScanScope; if($null -ne $v -and @('1','2') -contains ([string]$v)){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-03-MacroRuntimeScan-150",
"title": "Macro runtime AV scanning configured (Office 15.0 common security)",
"strategy": "RM",
"type": "scriptblock",
"script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Common\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Common\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).MacroRuntimeScanScope; if($null -ne $v -and @('1','2') -contains ([string]$v)){ return $true } } } $false",
"minLevel": "ML1"
},
{
"id": "RM-TRUSTED-PUBLISHERS-160",
"title": "Trusted Publishers enforcement present (Office 16.0)",
"strategy": "RM",
"type": "scriptblock",
"script": "$p='HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Common\\Security'; if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).TrustedPublisher; if($null -ne $v -and [int]$v -eq 1){ return $true } } $false",
"minLevel": "ML3"
},
{
"id": "RM-TRUSTED-PUBLISHERS-150",
"title": "Trusted Publishers enforcement present (Office 15.0)",
"strategy": "RM",
"type": "scriptblock",
"script": "$p='HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Common\\Security'; if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).TrustedPublisher; if($null -ne $v -and [int]$v -eq 1){ return $true } } $false",
"minLevel": "ML3"
}
]
Reference in New Issue View Git Blame Copy Permalink