Fix Regex Problem

Fix MFT Rules to Forward Slash

Author: reece394

rules/mft/adamntds_dit_mft.yml

@@ -49,9 +49,9 @@ filter:
 
   adamntds_2:
     FullPath:
-      - 'iProgram Files\Microsoft ADAM\*'
-      - 'iWindows\WinSxS*'
-      - 'iWindows\servicing\LCU\*'
+      - 'iProgram Files/Microsoft ADAM/*'
+      - 'iWindows/WinSxS*'
+      - 'iWindows/servicing/LCU/*'
 
   adamntds_3:
     FileSize:

rules/mft/ntds_dit_mft.yml

@@ -49,9 +49,9 @@ filter:
 
   ntds_2:
     FullPath:
-      - 'iWindows\NTDS\NTDS.dit'
-      - 'iWindows\WinSxS*'
-      - 'iWindows\servicing\LCU\*'
+      - 'iWindows/NTDS/NTDS.dit'
+      - 'iWindows/WinSxS*'
+      - 'iWindows/servicing/LCU/*'
       - 'i*adamntds.dit*'
 
   ntds_3:

rules/mft/sup_script_exec_intel_mft.yml

@@ -115,4 +115,4 @@ filter:
 
   directory:
     FullPath:
-      - 'iIntel\*'
+      - 'iIntel/*'

rules/mft/sup_script_exec_perflogs_mft.yml

@@ -7,7 +7,7 @@ authors:
 
 
 kind: mft
-level: high
+level: medium
 status: stable
 timestamp: StandardInfoCreated
 
@@ -115,4 +115,4 @@ filter:
 
   directory:
     FullPath:
-      - 'iPerfLogs\*'
+      - 'iPerfLogs/*'

rules/mft/sup_script_exec_program_files_root_mft.yml

@@ -115,9 +115,9 @@ filter:
 
   directory:
     FullPath:
-      - 'iProgram Files\*'
-      - 'iProgram Files (x86)\*'
+      - 'iProgram Files/*'
+      - 'iProgram Files (x86)/*'
 
   regex:
     FullPath:
-      - 'i?^[^\\]+\\[^\\]+\.[^\\]+$'
+      - 'i?^[^\x00/?%*:|"<>\.]+/[^\x00/?%*:|"<>\.]+(?:\.[^\x00/?%*:|"<>\.]+)?$'

rules/mft/sup_script_exec_programdata_mft.yml

@@ -114,8 +114,8 @@ filter:
 
   directory:
     FullPath:
-      - 'iProgramData\*'
+      - 'iProgramData/*'
 
   directoryexc:
     FullPath:
-      - 'iProgramData\Microsoft\Windows Defender\*'
+      - 'iProgramData/Microsoft/Windows Defender/*'

rules/mft/sup_script_exec_public_mft.yml

@@ -114,4 +114,4 @@ filter:
 
   directory:
     FullPath:
-      - 'iUsers\Public\*'
+      - 'iUsers/Public/*'

rules/mft/sup_script_exec_recyclebin_mft.yml

@@ -115,9 +115,9 @@ filter:
 
   directory:
     FullPath:
-      - 'i$Recycle.Bin\*'
+      - 'i$Recycle.Bin/*'
 
   name:
     FullPath:
-      - 'i*\$I*'
-      - 'i*\$R*'
+      - 'i*/$I*'
+      - 'i*/$R*'

rules/mft/sup_script_exec_recyclebin_nonstand_mft.yml

@@ -115,9 +115,9 @@ filter:
 
   directory:
     FullPath:
-      - 'i$Recycle.Bin\*'
+      - 'i$Recycle.Bin/*'
 
   name:
     FullPath:
-      - 'i*\$I*'
-      - 'i*\$R*'
+      - 'i*/$I*'
+      - 'i*/$R*'

rules/mft/sup_script_exec_root_mft.yml

@@ -115,7 +115,7 @@ filter:
 
   directory:
     FullPath:
-      - 'i*\*'
+      - 'i*/*'
       - 'i$Recycle.bin'
       - 'ipagefile.sys'
       - 'iswapfile.sys'

rules/mft/sup_script_exec_root_nonstand_fold_mft.yml

@@ -115,21 +115,21 @@ filter:
 
   directory:
     FullPath:
-      - 'i*\*'
+      - 'i*/*'
 
   directoryexc:
     FullPath:
-      - 'i$Recycle.Bin\*'
-      - 'iDocuments and Settings\*'
-      - 'iUsers\*'
-      - 'iPerfLogs\*'
-      - 'iProgram Files\*'
-      - 'iProgram Files (x86)\*'
-      - 'iProgramData\*'
-      - 'iRecovery\*'
-      - 'iSystem Volume Information\*'
-      - 'iWindows\*'
-      - 'i[Unknown]\*'
-      - 'iIntel\*'
-      - 'iTemp\*'
-      - 'iWindows.old\*'
+      - 'i$Recycle.Bin/*'
+      - 'iDocuments and Settings/*'
+      - 'iUsers/*'
+      - 'iPerfLogs/*'
+      - 'iProgram Files/*'
+      - 'iProgram Files (x86)/*'
+      - 'iProgramData/*'
+      - 'iRecovery/*'
+      - 'iSystem Volume Information/*'
+      - 'iWindows/*'
+      - 'i[Unknown]/*'
+      - 'iIntel/*'
+      - 'iTemp/*'
+      - 'iWindows.old/*'

rules/mft/sup_script_exec_root_temp_mft.yml

@@ -115,4 +115,4 @@ filter:
 
   directory:
     FullPath:
-      - 'iTemp\*'
+      - 'iTemp/*'

rules/mft/sup_script_exec_user_desktop_mft.yml

@@ -114,15 +114,15 @@ filter:
 
   directory:
     FullPath:
-      - 'iUsers\*'
+      - 'iUsers/*'
 
   desktop:
     FullPath:
-      - 'i*\Desktop\*'
+      - 'i*/Desktop/*'
 
   directoryexc:
     FullPath:
-      - 'iUsers\Public\*'
-      - 'iUsers\All Users\*'
-      - 'i*\AppData\*'
-      - 'i*\Downloads\*'
+      - 'iUsers/Public/*'
+      - 'iUsers/All Users/*'
+      - 'i*/AppData/*'
+      - 'i*/Downloads/*'

rules/mft/sup_script_exec_user_downloads_mft.yml

@@ -115,15 +115,15 @@ filter:
 
   directory:
     FullPath:
-      - 'iUsers\*'
+      - 'iUsers/*'
 
   downloads:
     FullPath:
-      - 'i*\Downloads\*'
+      - 'i*/Downloads/*'
 
   directoryexc:
     FullPath:
-      - 'iUsers\Public\*'
-      - 'iUsers\All Users\*'
-      - 'i*\AppData\*'
-      - 'i*\Desktop\*'
+      - 'iUsers/Public/*'
+      - 'iUsers/All Users/*'
+      - 'i*/AppData/*'
+      - 'i*/Desktop/*'

rules/mft/sup_script_exec_user_mft.yml

@@ -114,12 +114,12 @@ filter:
 
   directory:
     FullPath:
-      - 'iUsers\*'
+      - 'iUsers/*'
 
   directoryexc:
     FullPath:
-      - 'iUsers\Public\*'
-      - 'iUsers\All Users\*'
-      - 'i*\AppData\*'
-      - 'i*\Downloads\*'
-      - 'i*\Desktop\*'
+      - 'iUsers/Public/*'
+      - 'iUsers/All Users/*'
+      - 'i*/AppData/*'
+      - 'i*/Downloads/*'
+      - 'i*/Desktop/*'

rules/mft/sup_script_exec_windows_root_mft.yml

@@ -115,11 +115,11 @@ filter:
 
   directory:
     FullPath:
-      - 'iWindows\*'
+      - 'iWindows/*'
 
   regex:
     FullPath:
-      - 'i?^[^\\]+\\[^\\]+\.[^\\]+$'
+      - 'i?^[^\x00/?%*:|"<>\.]+/[^\x00/?%*:|"<>\.]+(?:\.[^\x00/?%*:|"<>\.]+)?$'
 
   filesexc:
     FullPath:

rules/mft/sup_script_exec_windows_temp_mft.yml

@@ -115,4 +115,4 @@ filter:
 
   directory:
     FullPath:
-      - 'iWindows\Temp\*'
+      - 'iWindows/Temp/*'