Fix MFT Rules to Forward Slash

reece394 · web-flow · commit 97be1d904f95 · 2025-01-11T20:02:35.000Z
diff --git a/rules/mft/adamntds_dit_mft.yml b/rules/mft/adamntds_dit_mft.yml
@@ -49,9 +49,9 @@ filter:
 
   adamntds_2:
     FullPath:
-      - 'iProgram Files\Microsoft ADAM\*'
-      - 'iWindows\WinSxS*'
-      - 'iWindows\servicing\LCU\*'
+      - 'iProgram Files/Microsoft ADAM/*'
+      - 'iWindows/WinSxS*'
+      - 'iWindows/servicing/LCU/*'
     
   adamntds_3:
     FileSize:
diff --git a/rules/mft/ntds_dit_mft.yml b/rules/mft/ntds_dit_mft.yml
@@ -49,9 +49,9 @@ filter:
 
   ntds_2:
     FullPath:
-      - 'iWindows\NTDS\NTDS.dit'
-      - 'iWindows\WinSxS*'
-      - 'iWindows\servicing\LCU\*'
+      - 'iWindows/NTDS/NTDS.dit'
+      - 'iWindows/WinSxS*'
+      - 'iWindows/servicing/LCU/*'
       - 'i*adamntds.dit*'
 
   ntds_3:
diff --git a/rules/mft/sup_script_exec_intel_mft.yml b/rules/mft/sup_script_exec_intel_mft.yml
@@ -115,4 +115,4 @@ filter:
 
   directory:
     FullPath:
-      - 'iIntel\*'
+      - 'iIntel/*'
diff --git a/rules/mft/sup_script_exec_perflogs_mft.yml b/rules/mft/sup_script_exec_perflogs_mft.yml
@@ -7,7 +7,7 @@ authors:
 
 
 kind: mft
-level: high
+level: medium
 status: stable
 timestamp: StandardInfoCreated
 
@@ -115,4 +115,4 @@ filter:
 
   directory:
     FullPath:
-      - 'iPerfLogs\*'
+      - 'iPerfLogs/*'
diff --git a/rules/mft/sup_script_exec_program_files_root_mft.yml b/rules/mft/sup_script_exec_program_files_root_mft.yml
@@ -115,9 +115,9 @@ filter:
 
   directory:
     FullPath:
-      - 'iProgram Files\*'
-      - 'iProgram Files (x86)\*'
+      - 'iProgram Files/*'
+      - 'iProgram Files (x86)/*'
 
   regex:
     FullPath:
-      - 'i?^[^\\]+\\[^\\]+\.[^\\]+$'
+      - 'i?^[^\x00\\/?%*:|"<>\.]+\\[^\x00\\/?%*:|"<>\.]+(?:\.[^\x00\\/?%*:|"<>\.]+)?$'
diff --git a/rules/mft/sup_script_exec_programdata_mft.yml b/rules/mft/sup_script_exec_programdata_mft.yml
@@ -114,8 +114,8 @@ filter:
 
   directory:
     FullPath:
-      - 'iProgramData\*'
+      - 'iProgramData/*'
 
   directoryexc:
     FullPath:
-      - 'iProgramData\Microsoft\Windows Defender\*'
+      - 'iProgramData/Microsoft/Windows Defender/*'
diff --git a/rules/mft/sup_script_exec_public_mft.yml b/rules/mft/sup_script_exec_public_mft.yml
@@ -114,4 +114,4 @@ filter:
 
   directory:
     FullPath:
-      - 'iUsers\Public\*'
+      - 'iUsers/Public/*'
diff --git a/rules/mft/sup_script_exec_recyclebin_mft.yml b/rules/mft/sup_script_exec_recyclebin_mft.yml
@@ -115,9 +115,9 @@ filter:
 
   directory:
     FullPath:
-      - 'i$Recycle.Bin\*'
+      - 'i$Recycle.Bin/*'
 
   name:
     FullPath:
-      - 'i*\$I*'
-      - 'i*\$R*'
+      - 'i*/$I*'
+      - 'i*/$R*'
diff --git a/rules/mft/sup_script_exec_recyclebin_nonstand_mft.yml b/rules/mft/sup_script_exec_recyclebin_nonstand_mft.yml
@@ -115,9 +115,9 @@ filter:
 
   directory:
     FullPath:
-      - 'i$Recycle.Bin\*'
+      - 'i$Recycle.Bin/*'
 
   name:
     FullPath:
-      - 'i*\$I*'
-      - 'i*\$R*'
+      - 'i*/$I*'
+      - 'i*/$R*'
diff --git a/rules/mft/sup_script_exec_root_mft.yml b/rules/mft/sup_script_exec_root_mft.yml
@@ -115,7 +115,7 @@ filter:
 
   directory:
     FullPath:
-      - 'i*\*'
+      - 'i*/*'
       - 'i$Recycle.bin'
       - 'ipagefile.sys'
       - 'iswapfile.sys'
diff --git a/rules/mft/sup_script_exec_root_nonstand_fold_mft.yml b/rules/mft/sup_script_exec_root_nonstand_fold_mft.yml
@@ -115,21 +115,21 @@ filter:
 
   directory:
     FullPath:
-      - 'i*\*'
+      - 'i*/*'
 
   directoryexc:
     FullPath:
-      - 'i$Recycle.Bin\*'
-      - 'iDocuments and Settings\*'
-      - 'iUsers\*'
-      - 'iPerfLogs\*'
-      - 'iProgram Files\*'
-      - 'iProgram Files (x86)\*'
-      - 'iProgramData\*'
-      - 'iRecovery\*'
-      - 'iSystem Volume Information\*'
-      - 'iWindows\*'
-      - 'i[Unknown]\*'
-      - 'iIntel\*'
-      - 'iTemp\*'
-      - 'iWindows.old\*'
+      - 'i$Recycle.Bin/*'
+      - 'iDocuments and Settings/*'
+      - 'iUsers/*'
+      - 'iPerfLogs/*'
+      - 'iProgram Files/*'
+      - 'iProgram Files (x86)/*'
+      - 'iProgramData/*'
+      - 'iRecovery/*'
+      - 'iSystem Volume Information/*'
+      - 'iWindows/*'
+      - 'i[Unknown]/*'
+      - 'iIntel/*'
+      - 'iTemp/*'
+      - 'iWindows.old/*'
diff --git a/rules/mft/sup_script_exec_root_temp_mft.yml b/rules/mft/sup_script_exec_root_temp_mft.yml
@@ -115,4 +115,4 @@ filter:
 
   directory:
     FullPath:
-      - 'iTemp\*'
+      - 'iTemp/*'
diff --git a/rules/mft/sup_script_exec_user_desktop_mft.yml b/rules/mft/sup_script_exec_user_desktop_mft.yml
@@ -114,15 +114,15 @@ filter:
 
   directory:
     FullPath:
-      - 'iUsers\*'
+      - 'iUsers/*'
 
   desktop:
     FullPath:
-      - 'i*\Desktop\*'
+      - 'i*/Desktop/*'
 
   directoryexc:
     FullPath:
-      - 'iUsers\Public\*'
-      - 'iUsers\All Users\*'
-      - 'i*\AppData\*'
-      - 'i*\Downloads\*'
+      - 'iUsers/Public/*'
+      - 'iUsers/All Users/*'
+      - 'i*/AppData/*'
+      - 'i*/Downloads/*'
diff --git a/rules/mft/sup_script_exec_user_downloads_mft.yml b/rules/mft/sup_script_exec_user_downloads_mft.yml
@@ -115,15 +115,15 @@ filter:
 
   directory:
     FullPath:
-      - 'iUsers\*'
+      - 'iUsers/*'
 
   downloads:
     FullPath:
-      - 'i*\Downloads\*'
+      - 'i*/Downloads/*'
 
   directoryexc:
     FullPath:
-      - 'iUsers\Public\*'
-      - 'iUsers\All Users\*'
-      - 'i*\AppData\*'
-      - 'i*\Desktop\*'
+      - 'iUsers/Public/*'
+      - 'iUsers/All Users/*'
+      - 'i*/AppData/*'
+      - 'i*/Desktop/*'
diff --git a/rules/mft/sup_script_exec_user_mft.yml b/rules/mft/sup_script_exec_user_mft.yml
@@ -114,12 +114,12 @@ filter:
 
   directory:
     FullPath:
-      - 'iUsers\*'
+      - 'iUsers/*'
 
   directoryexc:
     FullPath:
-      - 'iUsers\Public\*'
-      - 'iUsers\All Users\*'
-      - 'i*\AppData\*'
-      - 'i*\Downloads\*'
-      - 'i*\Desktop\*'
+      - 'iUsers/Public/*'
+      - 'iUsers/All Users/*'
+      - 'i*/AppData/*'
+      - 'i*/Downloads/*'
+      - 'i*/Desktop/*'
diff --git a/rules/mft/sup_script_exec_windows_root_mft.yml b/rules/mft/sup_script_exec_windows_root_mft.yml
@@ -115,11 +115,11 @@ filter:
 
   directory:
     FullPath:
-      - 'iWindows\*'
+      - 'iWindows/*'
 
   regex:
     FullPath:
-      - 'i?^[^\\]+\\[^\\]+\.[^\\]+$'
+      - 'i?^[^\x00\\/?%*:|"<>\.]+\\[^\x00\\/?%*:|"<>\.]+(?:\.[^\x00\\/?%*:|"<>\.]+)?$'
 
   filesexc:
     FullPath:
diff --git a/rules/mft/sup_script_exec_windows_temp_mft.yml b/rules/mft/sup_script_exec_windows_temp_mft.yml
@@ -115,4 +115,4 @@ filter:
 
   directory:
     FullPath:
-      - 'iWindows\Temp\*'
+      - 'iWindows/Temp/*'
