@cyclonedx/cdxgen 12.2.1 → 12.3.0

package/data/rules/obom-runtime.yaml

@@ -0,0 +1,891 @@
+# OBOM Runtime Security & Compliance Rules
+# Category: obom-runtime
+# Detects host posture, persistence, and runtime indicators from osquery-derived OBOM components
+
+- id: OBOM-LNX-001
+  name: "Linux systemd unit sourced from temporary path"
+  description: "Systemd units loaded from /tmp or /var/tmp can indicate unauthorized persistence."
+  severity: high
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'systemd_units'
+      and (
+        $contains($nullSafeProp($, 'fragment_path'), '/tmp/')
+        or $contains($nullSafeProp($, 'fragment_path'), '/var/tmp/')
+        or $contains($nullSafeProp($, 'source_path'), '/tmp/')
+        or $contains($nullSafeProp($, 'source_path'), '/var/tmp/')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Systemd unit '{{ name }}' references temporary execution artifacts in its unit file path configuration"
+  mitigation: "Move unit files to trusted system paths, validate ownership/permissions, and re-enable only approved services."
+  evidence: |
+    {
+      "activeState": $prop($, 'active_state'),
+      "unitFileState": $prop($, 'unit_file_state'),
+      "fragmentPath": $prop($, 'fragment_path'),
+      "sourcePath": $prop($, 'source_path')
+    }
+
+- id: OBOM-LNX-002
+  name: "Linux sudoers broad privilege rule"
+  description: "Sudoers entries allowing unrestricted command execution increase lateral movement and privilege escalation risk."
+  severity: high
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'sudoers_snapshot'
+      and (
+        $contains(description, 'NOPASSWD:ALL')
+        or $contains(description, 'ALL=(ALL) ALL')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Sudo policy '{{ name }}' contains broad privilege grant: {{ description }}"
+  mitigation: "Replace broad grants with command-specific allowlists and enforce MFA/approval workflows for privileged operations."
+  evidence: |
+    {
+      "sourceFile": $prop($, 'path'),
+      "ruleDetails": description
+    }
+
+- id: OBOM-LNX-003
+  name: "Root authorized_keys entry without restrictions"
+  description: "Root SSH keys without command/from/no-agent-forwarding restrictions weaken access controls and traceability."
+  severity: medium
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'authorized_keys_snapshot'
+      and name = 'root'
+      and $hasProp($, 'options')
+      and $safeStr($prop($, 'options')) = ''
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Root authorized_keys entry in '{{ $prop($, 'key_file') }}' lacks restrictive key options"
+  mitigation: "Apply restrictive key options (from=, command=, no-agent-forwarding, no-port-forwarding) and rotate unmanaged keys."
+  evidence: |
+    {
+      "account": name,
+      "algorithm": version,
+      "keyFile": $prop($, 'key_file'),
+      "options": $prop($, 'options')
+    }
+
+- id: OBOM-WIN-001
+  name: "Windows drive without BitLocker protection"
+  description: "Drives with disabled BitLocker protection can violate endpoint encryption requirements and increase data exposure risk."
+  severity: high
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'windows_bitlocker_info'
+      and $safeStr($prop($, 'protection_status')) != '1'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "BitLocker protection is not enabled for drive '{{ version }}' (device '{{ name }}')"
+  mitigation: "Enable BitLocker with approved encryption policy and escrow recovery keys in managed KMS/AD."
+  evidence: |
+    {
+      "deviceId": name,
+      "driveLetter": version,
+      "protectionStatus": $prop($, 'protection_status'),
+      "encryptionMethod": $prop($, 'encryption_method'),
+      "percentageEncrypted": $prop($, 'percentage_encrypted')
+    }
+
+- id: OBOM-WIN-002
+  name: "Windows Security Center unhealthy state"
+  description: "Poor Security Center health indicates one or more key endpoint protections are disabled or degraded."
+  severity: high
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'windows_security_center'
+      and (
+        name = 'Poor'
+        or version = 'Poor'
+        or description = 'Poor'
+        or $prop($, 'internet_settings') = 'Poor'
+        or $prop($, 'windows_security_center_service') = 'Poor'
+        or $prop($, 'user_account_control') = 'Poor'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Windows Security Center reports degraded protection posture (antivirus={{ name }}, firewall={{ version }}, autoupdate={{ description }})"
+  mitigation: "Restore endpoint protection controls and enforce policy baselines for AV, firewall, updates, and UAC."
+  evidence: |
+    {
+      "antivirus": name,
+      "firewall": version,
+      "autoupdate": description,
+      "internetSettings": $prop($, 'internet_settings'),
+      "securityCenterService": $prop($, 'windows_security_center_service'),
+      "uac": $prop($, 'user_account_control')
+    }
+
+- id: OBOM-WIN-003
+  name: "Windows Run key references temporary/script execution path"
+  description: "Run/RunOnce entries launching from temp or encoded script commands are common persistence techniques."
+  severity: critical
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'windows_run_keys'
+      and (
+        $contains($lowercase($safeStr(description)), '\\appdata\\local\\temp\\')
+        or $contains($lowercase($safeStr(description)), '\\temp\\')
+        or $contains($lowercase($safeStr(description)), '-enc ')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Run key '{{ name }}' launches potentially suspicious command/path: {{ description }}"
+  mitigation: "Validate publisher and hash of the referenced executable/script, remove unauthorized entries, and investigate parent change events."
+  evidence: |
+    {
+      "registryPath": name,
+      "command": description,
+      "registryKey": $prop($, 'key'),
+      "mtime": version
+    }
+
+- id: OBOM-MAC-001
+  name: "macOS firewall disabled or stealth mode off"
+  description: "ALF misconfiguration can expose endpoints to unsolicited inbound traffic and weakens host hardening baselines."
+  severity: high
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'alf'
+      and (
+        $safeStr(version) = '0'
+        or $safeStr($prop($, 'stealth_enabled')) = '0'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "macOS ALF posture is weak (global_state={{ version }}, stealth_enabled={{ $prop($, 'stealth_enabled') }})"
+  mitigation: "Enable ALF and stealth mode via managed profile or MDM baseline."
+  evidence: |
+    {
+      "globalState": version,
+      "stealthEnabled": $prop($, 'stealth_enabled'),
+      "allowSignedEnabled": $prop($, 'allow_signed_enabled'),
+      "loggingEnabled": $prop($, 'logging_enabled')
+    }
+
+- id: OBOM-MAC-002
+  name: "macOS launchd item from user-writable temporary path"
+  description: "Launchd agents/daemons sourced from temporary paths are a strong persistence and execution abuse signal."
+  severity: critical
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'launchd_services'
+      and (
+        $contains($nullSafeProp($, 'path'), '/tmp/')
+        or $contains($nullSafeProp($, 'path'), '/var/tmp/')
+        or $contains($nullSafeProp($, 'program'), '/tmp/')
+        or $contains($nullSafeProp($, 'program'), '/var/tmp/')
+      )
+      and (
+        $safeStr($prop($, 'run_at_load')) = 'true'
+        or $safeStr($prop($, 'run_at_load')) = '1'
+        or $safeStr($prop($, 'keep_alive')) = 'true'
+        or $safeStr($prop($, 'keep_alive')) = '1'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Launchd entry '{{ name }}' executes from temporary path and is configured for persistence"
+  mitigation: "Remove unauthorized plist entries, relocate approved binaries to trusted paths, and enforce signed launchd payloads."
+  evidence: |
+    {
+      "label": $prop($, 'label'),
+      "plistPath": $prop($, 'path'),
+      "program": $prop($, 'program'),
+      "runAtLoad": $prop($, 'run_at_load'),
+      "keepAlive": $prop($, 'keep_alive')
+    }
+
+- id: OBOM-MAC-003
+  name: "macOS firewall exception for binary in untrusted user path"
+  description: "ALF exceptions for binaries in user Downloads/Desktop/tmp increase risk of untrusted inbound network exposure."
+  severity: medium
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'alf_exceptions'
+      and (
+        $contains($safeStr(name), '/Users/')
+        and (
+          $contains($safeStr(name), '/Downloads/')
+          or $contains($safeStr(name), '/Desktop/')
+          or $contains($safeStr(name), '/tmp/')
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "ALF exception allows inbound access for risky path '{{ name }}'"
+  mitigation: "Restrict exceptions to signed, managed applications in trusted system paths."
+  evidence: |
+    {
+      "path": name,
+      "state": version
+    }
+
+- id: OBOM-LNX-004
+  name: "Linux shell history contains suspicious download-execute pattern"
+  description: "Shell history with direct download-and-execute commands may indicate malware staging or hands-on-keyboard activity."
+  severity: high
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'shell_history_snapshot'
+      and (
+        ($contains($lowercase(description), 'curl ') and $contains($lowercase(description), '| sh'))
+        or ($contains($lowercase(description), 'wget ') and $contains($lowercase(description), '| bash'))
+        or $contains($lowercase(description), 'base64 -d')
+        or $contains($lowercase(description), 'nc -e ')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Suspicious shell history entry for user '{{ name }}': {{ description }}"
+  mitigation: "Correlate with process/network telemetry, validate command intent, and isolate host if command lineage is untrusted."
+  evidence: |
+    {
+      "account": name,
+      "command": description,
+      "historyFile": $prop($, 'history_file'),
+      "timestamp": $prop($, 'time')
+    }
+
+- id: OBOM-LNX-005
+  name: "Docker API exposed over unauthenticated TCP port"
+  description: "Dockerd listening on TCP 2375 enables remote daemon control if not protected by network controls and TLS."
+  severity: critical
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'listening_ports'
+      and $safeStr($prop($, 'port')) = '2375'
+      and (
+        $safeStr($prop($, 'address')) = '0.0.0.0'
+        or $safeStr($prop($, 'address')) = '::'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Potentially insecure Docker API exposure detected on {{ $prop($, 'address') }}:{{ $prop($, 'port') }} for process '{{ name }}'"
+  mitigation: "Disable insecure TCP listener, enforce TLS/mTLS, and restrict daemon access to trusted local interfaces."
+  evidence: |
+    {
+      "process": name,
+      "pid": $prop($, 'pid'),
+      "address": $prop($, 'address'),
+      "port": $prop($, 'port'),
+      "protocol": $prop($, 'protocol')
+    }
+
+- id: OBOM-LNX-006
+  name: "Privileged Linux listener exposed on a non-local interface"
+  description: "Root or service-account listeners bound to all interfaces expand attack surface and deserve proactive review."
+  severity: high
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'privileged_listening_ports'
+      and (
+        $safeStr($prop($, 'address')) = '0.0.0.0'
+        or $safeStr($prop($, 'address')) = '::'
+      )
+      and $safeStr($prop($, 'port')) != '22'
+      and $safeStr($prop($, 'port')) != '53'
+      and $safeStr(name) != 'systemd-resolved'
+      and $safeStr(name) != 'avahi-daemon'
+      and $safeStr(name) != 'cupsd'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Privileged listener '{{ name }}' is reachable on {{ $prop($, 'address') }}:{{ $prop($, 'port') }}"
+  mitigation: "Restrict privileged services to local interfaces where possible, front them with authenticated proxies, and validate exposure against approved admin-surface inventory."
+  evidence: |
+    {
+      "account": $prop($, 'account'),
+      "pid": $prop($, 'pid'),
+      "address": $prop($, 'address'),
+      "port": $prop($, 'port'),
+      "path": $prop($, 'path'),
+      "serviceUnit": $prop($, 'service_unit'),
+      "packageSourceHint": $prop($, 'package_source_hint'),
+      "parentCmdline": $prop($, 'parent_cmdline')
+    }
+
+- id: OBOM-LNX-007
+  name: "Administrative Linux surface running with elevated privileges"
+  description: "Cockpit, PackageKit, pkexec, and related admin surfaces running with elevated privileges should be continuously monitored for exposure and drift."
+  severity: high
+  category: obom-runtime
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:osquery:category') = 'elevated_processes'
+        or $prop($, 'cdx:osquery:category') = 'privileged_listening_ports'
+        or $prop($, 'cdx:osquery:category') = 'sudo_executions'
+        or $prop($, 'cdx:osquery:category') = 'privilege_transitions'
+      )
+      and (
+        $contains($lowercase($safeStr(name)), 'cockpit')
+        or $contains($lowercase($nullSafeProp($, 'path')), 'cockpit')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), 'cockpit')
+        or $contains($lowercase($safeStr(name)), 'packagekit')
+        or $contains($lowercase($nullSafeProp($, 'path')), 'packagekit')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), 'packagekit')
+        or $contains($lowercase($safeStr(name)), 'pkexec')
+        or $contains($lowercase($nullSafeProp($, 'path')), 'pkexec')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), 'pkexec')
+        or $contains($lowercase($safeStr(name)), 'pkcon')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), 'pkcon')
+      )
+      and (
+        $safeStr($prop($, 'uid')) = '0'
+        or $safeStr($prop($, 'euid')) = '0'
+        or $safeStr($prop($, 'account')) = 'root'
+        or $safeStr($prop($, 'effective_user')) = 'root'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Administrative surface '{{ name }}' is active with elevated privileges and should be reviewed for exposure"
+  mitigation: "Review network reachability, patch cadence, and whether the administrative package is still needed on this host."
+  evidence: |
+    {
+      "category": $prop($, 'cdx:osquery:category'),
+      "path": $prop($, 'path'),
+      "cmdline": $prop($, 'cmdline'),
+      "account": $prop($, 'account'),
+      "effectiveUser": $prop($, 'effective_user'),
+      "serviceUnit": $prop($, 'service_unit'),
+      "address": $prop($, 'address'),
+      "port": $prop($, 'port'),
+      "packageSourceHint": $prop($, 'package_source_hint')
+    }
+
+- id: OBOM-LNX-008
+  name: "Interactive sudo chain touched sensitive administrative binary"
+  description: "Interactive sudo or pkexec invocations against package-management and admin-control binaries can indicate privileged changes worth auditing."
+  severity: high
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'sudo_executions'
+      and $safeStr($prop($, 'auid')) != ''
+      and $safeStr($prop($, 'auid')) != '0'
+      and (
+        $safeStr($prop($, 'euid')) = '0'
+        or $safeStr($prop($, 'effective_user')) = 'root'
+      )
+      and (
+        $contains($lowercase($nullSafeProp($, 'path')), 'pkexec')
+        or $contains($lowercase($nullSafeProp($, 'path')), 'pkcon')
+        or $contains($lowercase($nullSafeProp($, 'path')), 'packagekit')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), 'pkexec')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), 'pkcon')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), 'packagekit')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), 'cockpit')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), 'systemctl')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), 'service ')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), ' apt ')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), ' apt-get ')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), ' dnf ')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), ' yum ')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), ' zypper ')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), ' rpm ')
+        or $contains($lowercase($nullSafeProp($, 'cmdline')), ' dpkg ')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Interactive privileged execution by '{{ $prop($, 'login_user') }}' touched sensitive administrative command '{{ $prop($, 'path') }}'"
+  mitigation: "Review whether the command was expected, tie it to change records, and investigate unexpected package-management or control-plane activity."
+  evidence: |
+    {
+      "loginUser": $prop($, 'login_user'),
+      "effectiveUser": $prop($, 'effective_user'),
+      "path": $prop($, 'path'),
+      "cmdline": $prop($, 'cmdline'),
+      "parentCmdline": $prop($, 'parent_cmdline'),
+      "serviceUnit": $prop($, 'service_unit'),
+      "packageSourceHint": $prop($, 'package_source_hint'),
+      "timestamp": $prop($, 'time')
+    }
+
+- id: OBOM-LNX-009
+  name: "Unexpected Linux privilege transition for non-allowlisted executable"
+  description: "Setuid/setgid transitions outside a small baseline of expected tools can indicate risky privilege-bound packages or exploit activity."
+  severity: high
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'privilege_transitions'
+      and $safeStr($prop($, 'auid')) != ''
+      and $safeStr($prop($, 'auid')) != '0'
+      and (
+        $safeStr($prop($, 'euid')) = '0'
+        or $safeStr($prop($, 'egid')) = '0'
+      )
+      and $safeStr($prop($, 'path')) != '/usr/bin/sudo'
+      and $safeStr($prop($, 'path')) != '/bin/su'
+      and $safeStr($prop($, 'path')) != '/usr/bin/su'
+      and $safeStr($prop($, 'path')) != '/usr/bin/doas'
+      and $safeStr($prop($, 'path')) != '/usr/bin/passwd'
+      and $safeStr($prop($, 'path')) != '/usr/bin/chsh'
+      and $safeStr($prop($, 'path')) != '/usr/bin/chfn'
+      and $safeStr($prop($, 'path')) != '/usr/bin/gpasswd'
+      and $safeStr($prop($, 'path')) != '/usr/bin/newgrp'
+      and $safeStr($prop($, 'path')) != '/usr/bin/mount'
+      and $safeStr($prop($, 'path')) != '/usr/bin/umount'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Unexpected privilege transition detected for '{{ $prop($, 'path') }}' (auid={{ $prop($, 'auid') }}, euid={{ $prop($, 'euid') }})"
+  mitigation: "Validate binary provenance, file permissions, and recent package changes; treat unfamiliar setuid/setgid paths as high-priority review items."
+  evidence: |
+    {
+      "loginUser": $prop($, 'login_user'),
+      "path": $prop($, 'path'),
+      "cmdline": $prop($, 'cmdline'),
+      "parentCmdline": $prop($, 'parent_cmdline'),
+      "auid": $prop($, 'auid'),
+      "uid": $prop($, 'uid'),
+      "euid": $prop($, 'euid'),
+      "gid": $prop($, 'gid'),
+      "egid": $prop($, 'egid'),
+      "packageSourceHint": $prop($, 'package_source_hint')
+    }
+
+- id: OBOM-LNX-010
+  name: "Elevated Linux process launched from user-writable or unusual path"
+  description: "Root processes executing from user-controlled or non-standard paths are a strong signal for persistence or package drift."
+  severity: critical
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'elevated_processes'
+      and $safeStr($prop($, 'uid')) = '0'
+      and (
+        $contains($nullSafeProp($, 'path'), '/tmp/')
+        or $contains($nullSafeProp($, 'path'), '/var/tmp/')
+        or $contains($nullSafeProp($, 'path'), '/dev/shm/')
+        or $contains($nullSafeProp($, 'path'), '/home/')
+        or $contains($nullSafeProp($, 'path'), '/run/user/')
+        or $safeStr($prop($, 'package_source_hint')) = 'user-writable-path'
+        or $safeStr($prop($, 'package_source_hint')) = 'unclassified-path'
+      )
+      and $safeStr(name) != 'systemd'
+      and $safeStr(name) != 'init'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Elevated process '{{ name }}' executes from a risky path: {{ $prop($, 'path') }}"
+  mitigation: "Move approved binaries into trusted system locations, validate package ownership, and investigate any root process sourced from writable directories."
+  evidence: |
+    {
+      "account": $prop($, 'account'),
+      "path": $prop($, 'path'),
+      "serviceUnit": $prop($, 'service_unit'),
+      "parentPath": $prop($, 'parent_path'),
+      "parentCmdline": $prop($, 'parent_cmdline'),
+      "startTime": $prop($, 'start_time'),
+      "packageSourceHint": $prop($, 'package_source_hint')
+    }
+
+- id: OBOM-LNX-011
+  name: "Interactive shell parent spawned privileged Linux execution"
+  description: "Shell-driven privileged chains are useful for separating admin changes from long-running service behavior."
+  severity: medium
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'sudo_executions'
+      and $safeStr($prop($, 'auid')) != ''
+      and $safeStr($prop($, 'auid')) != '0'
+      and (
+        $safeStr($prop($, 'euid')) = '0'
+        or $safeStr($prop($, 'effective_user')) = 'root'
+      )
+      and (
+        $safeStr($prop($, 'parent_name')) = 'bash'
+        or $safeStr($prop($, 'parent_name')) = 'sh'
+        or $safeStr($prop($, 'parent_name')) = 'zsh'
+        or $safeStr($prop($, 'parent_name')) = 'dash'
+        or $safeStr($prop($, 'parent_name')) = 'fish'
+        or $contains($lowercase($nullSafeProp($, 'parent_cmdline')), 'bash')
+        or $contains($lowercase($nullSafeProp($, 'parent_cmdline')), 'zsh')
+        or $contains($lowercase($nullSafeProp($, 'parent_cmdline')), 'fish')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Interactive shell lineage for privileged command '{{ $prop($, 'cmdline') }}' merits change-review validation"
+  mitigation: "Correlate the privileged command with shell history, tickets, and package changes to confirm it was expected."
+  evidence: |
+    {
+      "loginUser": $prop($, 'login_user'),
+      "parentName": $prop($, 'parent_name'),
+      "parentCmdline": $prop($, 'parent_cmdline'),
+      "path": $prop($, 'path'),
+      "cmdline": $prop($, 'cmdline'),
+      "timestamp": $prop($, 'time')
+    }
+
+- id: OBOM-WIN-004
+  name: "Hidden scheduled task uses suspicious execution path"
+  description: "Enabled hidden tasks executing from temp paths or encoded script launchers are common persistence tradecraft."
+  severity: high
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'scheduled_tasks'
+      and $safeStr($prop($, 'enabled')) = '1'
+      and $safeStr($prop($, 'hidden')) = '1'
+      and (
+        $contains($lowercase($nullSafeProp($, 'path')), '\\temp\\')
+        or ($contains($lowercase($nullSafeProp($, 'action')), 'powershell') and $contains($lowercase($nullSafeProp($, 'action')), '-enc '))
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Hidden scheduled task '{{ name }}' has suspicious action/path: {{ $prop($, 'action') }}"
+  mitigation: "Validate author and binary lineage, disable unauthorized tasks, and investigate task registration event history."
+  evidence: |
+    {
+      "taskName": name,
+      "taskPath": $prop($, 'path'),
+      "action": $prop($, 'action'),
+      "state": $prop($, 'state')
+    }
+
+- id: OBOM-WIN-005
+  name: "Auto-start Windows service points to user-writable path"
+  description: "Auto-start services from temp or AppData paths may indicate privilege persistence through service hijacking."
+  severity: critical
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'services_snapshot'
+      and $safeStr($prop($, 'start_type')) = 'AUTO_START'
+      and (
+        $contains($lowercase($nullSafeProp($, 'path')), '\\temp\\')
+        or $contains($lowercase($nullSafeProp($, 'path')), '\\appdata\\')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Auto-start service '{{ name }}' launches from a user-writable path: {{ $prop($, 'path') }}"
+  mitigation: "Move binaries to protected system paths, lock ACLs, and validate service image hashes/signatures."
+  evidence: |
+    {
+      "serviceName": name,
+      "displayName": $prop($, 'display_name'),
+      "servicePath": $prop($, 'path'),
+      "account": $prop($, 'user_account')
+    }
+
+- id: OBOM-WIN-006
+  name: "Windows persistence surface references LOLBAS execution helper"
+  description: "Run keys, startup items, scheduled tasks, or auto-start services that reference LOLBAS execution helpers deserve elevated review because they blend persistence with proxy execution tradecraft."
+  severity: high
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:lolbas:matched') = 'true'
+      and (
+        $prop($, 'cdx:osquery:category') = 'windows_run_keys'
+        or $prop($, 'cdx:osquery:category') = 'scheduled_tasks'
+        or $prop($, 'cdx:osquery:category') = 'startup_items'
+        or $prop($, 'cdx:osquery:category') = 'services_snapshot'
+      )
+      and (
+        $listContains($prop($, 'cdx:lolbas:functions'), 'command')
+        or $listContains($prop($, 'cdx:lolbas:functions'), 'script-execution')
+        or $listContains($prop($, 'cdx:lolbas:functions'), 'proxy-execution')
+        or $listContains($prop($, 'cdx:lolbas:functions'), 'library-load')
+        or $listContains($prop($, 'cdx:lolbas:functions'), 'shell')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Windows persistence surface '{{ name }}' references LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }}"
+  mitigation: "Validate the owning change, replace proxy-execution helpers with signed managed binaries where possible, and baseline approved startup surfaces with allowlists."
+  attack:
+    tactics: [TA0003, TA0005]
+    techniques: [T1218, T1547]
+  evidence: |
+    {
+      "queryCategory": $prop($, 'cdx:osquery:category'),
+      "lolbasNames": $prop($, 'cdx:lolbas:names'),
+      "functions": $prop($, 'cdx:lolbas:functions'),
+      "matchFields": $prop($, 'cdx:lolbas:matchFields'),
+      "path": $prop($, 'path'),
+      "action": $prop($, 'action'),
+      "command": description
+    }
+
+- id: OBOM-WIN-007
+  name: "Windows WMI or AppCompat persistence uses LOLBAS"
+  description: "WMI command consumers and AppCompat shims that invoke LOLBAS utilities are high-signal persistence and defense-evasion indicators."
+  severity: critical
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:lolbas:matched') = 'true'
+      and (
+        $prop($, 'cdx:osquery:category') = 'appcompat_shims'
+        or $prop($, 'cdx:osquery:category') = 'wmi_cli_event_consumers'
+        or $prop($, 'cdx:osquery:category') = 'wmi_cli_event_consumers_snapshot'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "WMI/AppCompat persistence artifact '{{ name }}' references LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }}"
+  mitigation: "Treat as a persistence investigation, review WMI repository and shim databases, and remove unauthorized subscriptions or shim registrations."
+  attack:
+    tactics: [TA0003, TA0005]
+    techniques: [T1218, T1546]
+  evidence: |
+    {
+      "queryCategory": $prop($, 'cdx:osquery:category'),
+      "lolbasNames": $prop($, 'cdx:lolbas:names'),
+      "functions": $prop($, 'cdx:lolbas:functions'),
+      "matchFields": $prop($, 'cdx:lolbas:matchFields'),
+      "path": $prop($, 'path'),
+      "executable": $prop($, 'executable'),
+      "commandLine": $prop($, 'command_line'),
+      "commandTemplate": $prop($, 'command_line_template')
+    }
+
+- id: OBOM-WIN-008
+  name: "Windows startup or process activity uses network-capable LOLBAS"
+  description: "Network-capable LOLBAS helpers such as PowerShell, Certutil, Bitsadmin, or WMIC become higher priority when they appear in persistence surfaces or suspicious live process command lines."
+  severity: high
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:lolbas:matched') = 'true'
+      and (
+        $listContains($prop($, 'cdx:lolbas:functions'), 'download')
+        or $listContains($prop($, 'cdx:lolbas:functions'), 'upload')
+      )
+      and (
+        $prop($, 'cdx:osquery:category') = 'windows_run_keys'
+        or $prop($, 'cdx:osquery:category') = 'scheduled_tasks'
+        or $prop($, 'cdx:osquery:category') = 'startup_items'
+        or (
+          $prop($, 'cdx:osquery:category') = 'processes'
+          and (
+            $contains($lowercase($nullSafeProp($, 'cmdline')), 'http://')
+            or $contains($lowercase($nullSafeProp($, 'cmdline')), 'https://')
+            or $contains($lowercase($nullSafeProp($, 'cmdline')), '-enc ')
+          )
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Network-capable LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }} detected in '{{ $prop($, 'cdx:osquery:category') }}'"
+  mitigation: "Correlate with outbound connections and downloads, restrict unmanaged scripting/network utilities, and investigate encoded or remote-fetch command lines."
+  attack:
+    tactics: [TA0002, TA0011]
+    techniques: [T1041, T1059.001, T1105]
+  evidence: |
+    {
+      "queryCategory": $prop($, 'cdx:osquery:category'),
+      "lolbasNames": $prop($, 'cdx:lolbas:names'),
+      "functions": $prop($, 'cdx:lolbas:functions'),
+      "command": description,
+      "cmdline": $prop($, 'cmdline'),
+      "action": $prop($, 'action')
+    }
+
+- id: OBOM-WIN-009
+  name: "Network-facing Windows listener is a LOLBAS execution helper"
+  description: "A listening process backed by a LOLBAS execution helper is a strong remote-control or staging indicator on Windows endpoints."
+  severity: critical
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'listening_ports'
+      and $prop($, 'cdx:lolbas:matched') = 'true'
+      and (
+        $safeStr($prop($, 'address')) = '0.0.0.0'
+        or $safeStr($prop($, 'address')) = '::'
+      )
+      and (
+        $listContains($prop($, 'cdx:lolbas:functions'), 'command')
+        or $listContains($prop($, 'cdx:lolbas:functions'), 'script-execution')
+        or $listContains($prop($, 'cdx:lolbas:functions'), 'shell')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Listening process '{{ name }}' on {{ $prop($, 'address') }}:{{ $prop($, 'port') }} matches LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }}"
+  mitigation: "Review parent process lineage, isolate unmanaged listeners, and block or remove unexpected inbound admin or scripting surfaces."
+  attack:
+    tactics: [TA0008, TA0011]
+    techniques: [T1059, T1105, T1218]
+  evidence: |
+    {
+      "lolbasNames": $prop($, 'cdx:lolbas:names'),
+      "functions": $prop($, 'cdx:lolbas:functions'),
+      "path": $prop($, 'path'),
+      "cmdline": $prop($, 'cmdline'),
+      "address": $prop($, 'address'),
+      "port": $prop($, 'port')
+    }
+
+- id: OBOM-WIN-010
+  name: "Windows persistence artifact uses LOLBAS with UAC-bypass context"
+  description: "Persistence surfaces that reference LOLBAS helpers documented with UAC-bypass behavior should be treated as privilege-escalation investigations."
+  severity: critical
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:lolbas:matched') = 'true'
+      and $listContains($prop($, 'cdx:lolbas:contexts'), 'uac-bypass')
+      and (
+        $prop($, 'cdx:osquery:category') = 'windows_run_keys'
+        or $prop($, 'cdx:osquery:category') = 'scheduled_tasks'
+        or $prop($, 'cdx:osquery:category') = 'startup_items'
+        or $prop($, 'cdx:osquery:category') = 'wmi_cli_event_consumers'
+        or $prop($, 'cdx:osquery:category') = 'wmi_cli_event_consumers_snapshot'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "UAC-bypass-capable LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }} detected in Windows persistence artifact '{{ name }}'"
+  mitigation: "Investigate as a possible privilege-escalation foothold, remove unauthorized registration points, and enforce WDAC/AppLocker policies for known proxy binaries."
+  attack:
+    tactics: [TA0003, TA0004, TA0005]
+    techniques: [T1548.002, T1218]
+  evidence: |
+    {
+      "queryCategory": $prop($, 'cdx:osquery:category'),
+      "lolbasNames": $prop($, 'cdx:lolbas:names'),
+      "contexts": $prop($, 'cdx:lolbas:contexts'),
+      "path": $prop($, 'path'),
+      "action": $prop($, 'action'),
+      "command": description
+    }
+
+- id: OBOM-MAC-004
+  name: "macOS launchd override disables Apple-managed service"
+  description: "Launchd overrides disabling Apple-managed services can indicate tampering with built-in security or platform controls."
+  severity: medium
+  category: obom-runtime
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'launchd_overrides'
+      and $safeStr($prop($, 'key')) = 'Disabled'
+      and (
+        $safeStr($prop($, 'value')) = '1'
+        or $lowercase($safeStr($prop($, 'value'))) = 'true'
+      )
+      and $startsWith($safeStr($prop($, 'label')), 'com.apple.')
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Launchd override disables Apple-managed label '{{ $prop($, 'label') }}'"
+  mitigation: "Review override provenance, restore approved launchd settings, and investigate unauthorized local configuration changes."
+  evidence: |
+    {
+      "label": $prop($, 'label'),
+      "key": $prop($, 'key'),
+      "value": $prop($, 'value'),
+      "uid": $prop($, 'uid'),
+      "plistPath": $prop($, 'path')
+    }