Windows security and safety governance rules for AI coding agents. Blocks PowerShell execution policy bypass, encoded commands, Run key registry persistence, Windows Defender disable, SYSTEM scheduled tasks, user account creation, WMI process execution, Everyone:F permissions, autorun.inf creation, startup folder persistence, and SAM/SECURITY registry export.
13 rules · 2 files
ssg hub pull rules-windowsAvailable on the SigmaShake Hub. Compatible with Claude Code, GitHub Copilot, Cursor, Windsurf, and any AI coding agent using the ssg hook protocol.
| Rule | Decision | Severity | Description |
|---|---|---|---|
no-powershell-execution-bypass |
DENY | error | Blocks PowerShell -ExecutionPolicy Bypass |
no-powershell-encoded-command |
ASK | error | Flags -EncodedCommand obfuscated PowerShell |
no-reg-add-run-keys |
ASK | error | Flags Run/RunOnce registry persistence |
no-disable-windows-defender |
DENY | error | Blocks disabling Defender real-time monitoring |
no-schtasks-system-account |
ASK | error | Flags SYSTEM-level scheduled task creation |
no-net-user-add |
ASK | error | Flags local user creation and admin group add |
no-wmic-process-execution |
ASK | error | Flags WMI process call create |
no-icacls-everyone-full |
DENY | error | Blocks granting Everyone:F (full control) |
| Rule | Decision | Severity | Description |
|---|---|---|---|
no-hosts-file-redirect |
ASK | error | Flags redirecting Microsoft/Windows Update domains |
no-autorun-inf |
DENY | error | Blocks creation of autorun.inf files |
no-startup-folder-write |
ASK | error | Flags writes to Windows Startup persistence folders |
no-defender-exclusion |
ASK | error | Flags Add-MpPreference exclusion paths |
no-reg-export-sensitive |
ASK | error | Flags SAM/SECURITY/LSA registry hive exports |
- Windows 10, 11 (all editions)
- Windows Server 2019, 2022
- Works alongside Microsoft Defender for Endpoint, CIS Windows Benchmark, LGPO
Part of the SigmaShake Hub — open-source governance rules for AI coding agents.