Module/Common/Data.ps1
# Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. # This is used to centralize the regEx patterns data RegularExpression { ConvertFrom-StringData -stringdata @' # General matches dash = - # match a exactly one ( the first ) hexcode in a string hexCode = \\b(0x[A-Fa-f0-9]{8}){1}\\b # looks for an integer but is not hex leadingIntegerUnbound = \\b([0-9]{1,})\\b textBetweenQuotes = ["\''](.*?)["\''] textBetweenParentheses = \\(([^\)]+)\\) spaceDashSpace = \\s-\\s TypePrincipalAccess = (?:\\bType\\b\\s*-\\s*\\w*\\s*)(?:\\bPrincipal\\b\\s*-\\s*(\\w*\\s*){1,2})(?:\\bAccess\\b\\s*-\\s*\\w*\\s*) InheritancePermissionMap = :\\(\\w\\)\\(\\w\\) PermissionRuleMap = \\(\\w\\)\\s*-\\s*\\w blankString = \\(Blank\\) nonLetters = [^a-zA-Z ] enabledOrDisabled = Enable(d)?|Disable(d)? # Windows Feature Rule Matches FeatureNameEquals = FeatureName\\s-eq\\s*\\S* FeatureNameSpaceColon = FeatureName\\s\\:\\s\\S* IfTheApplicationExists = If the [\\s\\S]*?application exists WebDavPublishingFeature = ((W|w)eb(DAV|(D|d)av) (A|a)uthoring)|(WebDAV Publishing) SimpleTCP = Simple\\sTCP/IP\\sServices IISWebserver = Internet\\sInformation\\sServices IISHostableWebCore = Internet\\sInformation\\sServices\\sHostable\\sWeb\\sCore # Service policy matches McAfee = McAfee Agent SmartCardRemovalPolicy = Smart Card Removal Policy SecondaryLogon = Secondary Logon followingservices = Verify the Startup Type for the following Windows services: # DNS rules matches textBetweenTheTab = the\\s(?s)(.*)tab\\. allEvents = \\"All\\sevents\\" # Permission policy matches WinEvtDirectory = %SystemRoot%\\\\SYSTEM32\\\\WINEVT\\\\LOGS cDrive = system drive's root directory SysVol = Windows\\\\SYSVOL eventViewer = eventvwr\.exe systemRoot = Windows installation directory adminShares = (?=.*?\\bADMIN\\b\\$)(?=.*?\\bC\\b\\$)(?=.*?\\bIPC\\b\\$).*$ permissionRegistryInstalled = (?=.*?\\bHKEY_LOCAL_MACHINE\\b)(?=.*?\\bInstalled\\sComponents\\b).*$ permissionRegistryWinlogon = (?=.*?\\bHKEY_LOCAL_MACHINE\\b)(?=.*?\\bWinlogon\\b).*$ permissionRegistryWinreg = (?=.*?\\bHKEY_LOCAL_MACHINE\\b)(?=.*?\\bwinreg\\b).*$ permissionRegistryNTDS = (?=.*?\\bHKEY_LOCAL_MACHINE\\b)(?=.*?\\bNTDS\\b).*$ programFiles = ^\\\\Program\\sFiles\\sand\\s\\\\Program\\sFiles\\s\\(x86\\) dnsServerLog = DNS\\sServer\\.evtx cryptoFolder = ^%ALLUSERSPROFILE%\\\\Microsoft\\\\Crypto$ hklmSecurity = HKEY_LOCAL_MACHINE\\\\SECURITY hklmSoftware = HKEY_LOCAL_MACHINE\\\\SOFTWARE hklmSystem = HKEY_LOCAL_MACHINE\\\\SYSTEM hklmRootKeys = HKEY_LOCAL_MACHINE\\\\(SECURITY|SOFTWARE|SYSTEM) rootOfC = ^C\\:\\\\$ winDir = ^\\\\Windows programFiles86 = ^\\\\Program\\sFiles\\s\\(x86\\)* programFileFolder = ^\\\\Program\\sFiles$ # WinEventLog rule matches WinEventLogPath = Logs\\\\Microsoft\\\\Windows ADAuditPath = Verify the auditing configuration for (the)? inetpub = inetpub '@ } data ADAuditPath { ConvertFrom-StringData -StringData @' domain = {Domain} Domain Controller OU = OU=Domain Controllers,{Domain} AdminSDHolder = CN=AdminSDHolder,CN=System,{Domain} RID Manager$ = CN=RID Manager$,CN=System,{Domain} Infrastructure = CN=Infrastructure,{Domain} '@ } # This is used to centralize the regEx patterns data rangeMatch { ConvertFrom-StringData -stringdata @' gt = ^0x([A-Fa-f0-9]{8}) ge = ^[0-9]{1,} lt = or less less than = lt or less = lt le = '(.*?)' '@ } data errorMessage { ConvertFrom-StringData -stringdata @' ruleNotFound = rule not found ruleNotComplete = rule not complete '@ } data processMitigationRegex { ConvertFrom-StringData -StringData @' TextBetweenDoubleQuoteAndColon = "[\\s\\S]*?: TextBetweenColonAndDoubleQuote = :[\\s\\S]*?" EnableColon = Enable: ColonSpaceOn = :\\sON IfTheStatusOf = If\\sthe\\sstatus\\sof IfTheStatusOfIsOff = If\\sthe\\sstatus\\sof[\\s\\S]*?\\sis\\s"OFF"[\\s\\S]*this\\sis\\sa\\sfinding NotHaveAStatusOfOn = If\\sthe\\sfollowing\\smitigations\\sdo\\snot\\shave\\sa\\sstatus\\sof\\s"ON" '@ } # List rules that can be excluded data exclusionRuleList { ConvertFrom-StringData -StringData @' V-73523 = '@ } data webRegularExpression { ConvertFrom-StringData -stringdata @' configSection = (?<=\")system.+?(?=\") customFields = >> customFieldSection = Under "Custom Fields", verify the following fields excludeExtendedAscii = [^\x20-\x7A]+ keyValuePairLine = Verify.+?(reflects|is set to) keyValuePair = (?<=\").+?(?=\") logFlags = (?<=(")?Select Fields(")?, verify at a minimum the following fields are checked:).+(?=\.) logFormat = Verify the "Format:" under "Log File" is configured to logPeriod = Verify a schedule is configured to rollover log files logTargetW3c = Under Log Event Destination, verify the mimeType = (?<=)^[.].+(?=) mimeTypeAbsent = verify MIME types for OS shell program extensions have been removed standardFields = (?<=Under "Standard Fields",).+ standardFieldEntries = "([^"]*)" HMACSHA256 = Verify "HMACSHA256" is selected for the Validation method autoEncryptionMethod = "Auto" is selected for the Encryption method CGIModules = "Allow unspecified CGI modules" ISAPIModules = "Allow unspecified ISAPI modules" useCookies = (Use Cookies|UseCookies) expiredSession = Regenerate expired session ID sessionTimeout = Time\-out inetpub = inetpub '@ } data eventLogRegularExpression { <# The name entry was added to support event log name extraction from the different formats found in different Window Server STIGs. For example in the 2012 Stig, (Application.evtx) was used, in 2016 “Application.evtx” is used, so name now extracts the log name from the extension and the preceding word. #> ConvertFrom-StringData -stringdata @' name = \\w+\\.evtx '@ } |