@cyclonedx/cdxgen 12.2.1 → 12.3.0

package/data/lolbas-index.json

@@ -0,0 +1,150 @@
+{
+  "entries": {
+    "bitsadmin.exe": {
+      "attackTactics": ["TA0002", "TA0011"],
+      "attackTechniques": ["T1105", "T1197"],
+      "contexts": ["admin", "user"],
+      "functions": ["download", "upload", "command"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
+      "riskTags": ["network-transfer", "persistence"]
+    },
+    "certutil.exe": {
+      "attackTactics": ["TA0005", "TA0011"],
+      "attackTechniques": ["T1105", "T1140"],
+      "contexts": ["admin", "user"],
+      "functions": ["download", "decode", "file-read", "file-write"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
+      "riskTags": ["defense-evasion", "network-transfer"]
+    },
+    "cmd.exe": {
+      "attackTactics": ["TA0002"],
+      "attackTechniques": ["T1059.003"],
+      "contexts": ["admin", "user"],
+      "functions": ["command", "shell"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Cmd/",
+      "riskTags": ["execution"]
+    },
+    "cmdkey.exe": {
+      "attackTactics": ["TA0006"],
+      "attackTechniques": ["T1555"],
+      "contexts": ["admin", "user"],
+      "functions": ["credential-access"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Cmdkey/",
+      "riskTags": ["credential-access"]
+    },
+    "cmstp.exe": {
+      "attackTactics": ["TA0003", "TA0005"],
+      "attackTechniques": ["T1218.003", "T1548.002"],
+      "contexts": ["admin", "uac-bypass", "user"],
+      "functions": ["proxy-execution", "uac-bypass"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/",
+      "riskTags": ["defense-evasion", "persistence", "uac-bypass"]
+    },
+    "cscript.exe": {
+      "attackTactics": ["TA0002", "TA0005"],
+      "attackTechniques": ["T1059.005", "T1216"],
+      "contexts": ["admin", "user"],
+      "functions": ["proxy-execution", "script-execution"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Cscript/",
+      "riskTags": ["defense-evasion", "execution"]
+    },
+    "ftp.exe": {
+      "attackTactics": ["TA0011"],
+      "attackTechniques": ["T1041", "T1105"],
+      "contexts": ["admin", "user"],
+      "functions": ["download", "upload"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Ftp/",
+      "riskTags": ["network-transfer"]
+    },
+    "installutil.exe": {
+      "attackTactics": ["TA0002", "TA0005"],
+      "attackTechniques": ["T1218.004"],
+      "contexts": ["admin", "user"],
+      "functions": ["library-load", "proxy-execution"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Installutil/",
+      "riskTags": ["defense-evasion", "execution"]
+    },
+    "msbuild.exe": {
+      "attackTactics": ["TA0002", "TA0005"],
+      "attackTechniques": ["T1127.001"],
+      "contexts": ["admin", "user"],
+      "functions": ["compile", "proxy-execution", "script-execution"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/",
+      "riskTags": ["defense-evasion", "execution"]
+    },
+    "mshta.exe": {
+      "attackTactics": ["TA0002", "TA0005"],
+      "attackTechniques": ["T1218.005"],
+      "contexts": ["admin", "user"],
+      "functions": ["proxy-execution", "script-execution"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Mshta/",
+      "riskTags": ["defense-evasion", "execution"]
+    },
+    "msiexec.exe": {
+      "attackTactics": ["TA0002", "TA0005", "TA0011"],
+      "attackTechniques": ["T1105", "T1218.007"],
+      "contexts": ["admin", "user"],
+      "functions": ["download", "proxy-execution"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/",
+      "riskTags": ["defense-evasion", "network-transfer"]
+    },
+    "odbcconf.exe": {
+      "attackTactics": ["TA0002", "TA0005"],
+      "attackTechniques": ["T1218.008"],
+      "contexts": ["admin", "user"],
+      "functions": ["library-load", "proxy-execution"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+      "riskTags": ["defense-evasion", "execution"]
+    },
+    "powershell.exe": {
+      "attackTactics": ["TA0002", "TA0005", "TA0011"],
+      "attackTechniques": ["T1041", "T1059.001", "T1105"],
+      "contexts": ["admin", "user"],
+      "functions": ["command", "download", "script-execution", "shell", "upload"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Powershell/",
+      "riskTags": ["execution", "network-transfer", "persistence"]
+    },
+    "pwsh.exe": {
+      "attackTactics": ["TA0002", "TA0005", "TA0011"],
+      "attackTechniques": ["T1041", "T1059.001", "T1105"],
+      "contexts": ["admin", "user"],
+      "functions": ["command", "download", "script-execution", "shell", "upload"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Powershell/",
+      "riskTags": ["execution", "network-transfer", "persistence"]
+    },
+    "regsvr32.exe": {
+      "attackTactics": ["TA0002", "TA0005"],
+      "attackTechniques": ["T1218.010"],
+      "contexts": ["admin", "user"],
+      "functions": ["library-load", "proxy-execution", "script-execution"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/",
+      "riskTags": ["defense-evasion", "execution"]
+    },
+    "rundll32.exe": {
+      "attackTactics": ["TA0002", "TA0005"],
+      "attackTechniques": ["T1218.011"],
+      "contexts": ["admin", "user"],
+      "functions": ["library-load", "proxy-execution"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/",
+      "riskTags": ["defense-evasion", "execution"]
+    },
+    "wmic.exe": {
+      "attackTactics": ["TA0002", "TA0005", "TA0011"],
+      "attackTechniques": ["T1047", "T1105"],
+      "contexts": ["admin", "user"],
+      "functions": ["command", "download", "process-create"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Wmic/",
+      "riskTags": ["execution", "network-transfer", "reconnaissance"]
+    },
+    "wscript.exe": {
+      "attackTactics": ["TA0002", "TA0005"],
+      "attackTechniques": ["T1059.005", "T1216"],
+      "contexts": ["admin", "user"],
+      "functions": ["proxy-execution", "script-execution"],
+      "reference": "https://lolbas-project.github.io/lolbas/Binaries/Wscript/",
+      "riskTags": ["defense-evasion", "execution"]
+    }
+  },
+  "source": "https://github.com/LOLBAS-Project/LOLBAS",
+  "sourceRef": "https://lolbas-project.github.io/"
+}

package/data/queries-darwin.json

@@ -14,7 +14,7 @@
   "chrome_extensions": {
     "query": "select chrome_extensions.* from users join chrome_extensions using (uid);",
     "description": "Retrieves the list of extensions for Chrome in the target system.",
-    "purlType": "swid",
+    "purlType": "chrome-extension",
     "componentType": "application"
   },
   "firefox_addons": {
@@ -26,7 +26,7 @@
   "vscode_extensions": {
     "query": "select vscode_extensions.* from users join vscode_extensions using (uid);",
     "description": "Lists all vscode extensions.",
-    "purlType": "vsix",
+    "purlType": "vscode-extension",
     "componentType": "application"
   },
   "apps": {
@@ -47,6 +47,66 @@
     "purlType": "swid",
     "componentType": "data"
   },
+  "users_snapshot": {
+    "query": "SELECT username as name, uuid as version, description, directory, shell, uid, gid, is_hidden FROM users;",
+    "description": "Local account inventory including hidden-user attributes on macOS.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "logged_in_users_snapshot": {
+    "query": "SELECT user as name, '' as version, type as description, pid, host, tty, time FROM logged_in_users;",
+    "description": "Interactive and remote user sessions currently active on the host.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "shell_history_snapshot": {
+    "query": "SELECT users.username as name, '' as version, shell_history.command as description, shell_history.time, shell_history.history_file, shell_history.uid FROM users JOIN shell_history USING (uid);",
+    "description": "User shell command history metadata for investigation support.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "homebrew_packages": {
+    "query": "SELECT * FROM homebrew_packages;",
+    "description": "Homebrew formula and cask inventory including auto-update behavior.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "launchd_services": {
+    "query": "SELECT name, label, path, program, run_at_load, keep_alive, disabled, username, groupname, stdout_path, stderr_path, start_interval, program_arguments, watch_paths, queue_directories, start_on_mount, working_directory, process_type FROM launchd;",
+    "description": "LaunchAgents and LaunchDaemons configuration used for macOS persistence.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "launchd_overrides": {
+    "query": "SELECT label as name, key as version, value as description, uid, path FROM launchd_overrides;",
+    "description": "Per-user launchd override state that can alter startup behavior.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "alf": {
+    "query": "SELECT 'alf' as name, global_state as version, version as description, allow_signed_enabled, firewall_unload, logging_enabled, logging_option, stealth_enabled FROM alf;",
+    "description": "Application Layer Firewall (ALF) configuration and enforcement posture.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "alf_exceptions": {
+    "query": "SELECT path as name, state as version FROM alf_exceptions;",
+    "description": "Firewall allow/block exception list for specific executables or bundle identifiers.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "xprotect_entries": {
+    "query": "SELECT * FROM xprotect_entries;",
+    "description": "Built-in XProtect malware signature entries on macOS.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "xprotect_meta": {
+    "query": "SELECT identifier as name, min_version as version, type as description, developer_id FROM xprotect_meta;",
+    "description": "XProtect browser extension/plugin policy metadata.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
   "package_bom": {
     "query": "SELECT * FROM package_bom;",
     "description": "macOS package bill of materials (BOM) file list.",
@@ -84,7 +144,7 @@
     "componentType": "data"
   },
   "listening_ports": {
-    "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
+    "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.cmdline, process.cwd, process.uid, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
     "description": "List all processes and their listening_ports.",
     "purlType": "swid",
     "componentType": "application"

package/data/queries-win.json

@@ -15,7 +15,7 @@
   "chrome_extensions": {
     "query": "select chrome_extensions.* from users join chrome_extensions using (uid);",
     "description": "Retrieves the list of extensions for Chrome in the target system.",
-    "purlType": "swid",
+    "purlType": "chrome-extension",
     "componentType": "application"
   },
   "firefox_addons": {
@@ -27,7 +27,7 @@
   "vscode_extensions": {
     "query": "select vscode_extensions.* from users join vscode_extensions using (uid);",
     "description": "Lists all vscode extensions.",
-    "purlType": "vsix",
+    "purlType": "vscode-extension",
     "componentType": "application"
   },
   "browser_plugins": {
@@ -88,6 +88,24 @@
     "purlType": "swid",
     "componentType": "data"
   },
+  "users_snapshot": {
+    "query": "SELECT username as name, uuid as version, description, directory, uid, type, gid FROM users;",
+    "description": "Local and domain-backed user account inventory on Windows endpoints.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "logged_in_users_snapshot": {
+    "query": "SELECT user as name, '' as version, type as description, pid, host, tty, time, sid, registry_hive FROM logged_in_users;",
+    "description": "Interactive and remote user sessions active on the endpoint.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "logon_sessions": {
+    "query": "SELECT user as name, logon_type as version, authentication_package as description, logon_id, logon_domain, session_id, logon_sid, logon_time, logon_server, dns_domain_name, upn, profile_path, home_directory, home_directory_drive FROM logon_sessions;",
+    "description": "Windows logon session inventory for authentication and identity investigations.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
   "pipes_snapshot": {
     "query": "SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, pipes.name, pid FROM pipes JOIN processes USING (pid);",
     "description": "Pipes snapshot query.",
@@ -130,6 +148,30 @@
     "purlType": "swid",
     "componentType": "data"
   },
+  "windows_security_products": {
+    "query": "SELECT * FROM windows_security_products;",
+    "description": "Registered endpoint security products and signature posture.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "windows_security_center": {
+    "query": "SELECT antivirus as name, firewall as version, autoupdate as description, internet_settings, windows_security_center_service, user_account_control FROM windows_security_center;",
+    "description": "Windows Security Center overall protection health indicators.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "windows_bitlocker_info": {
+    "query": "SELECT device_id as name, drive_letter as version, encryption_method as description, persistent_volume_id, conversion_status, protection_status, percentage_encrypted, lock_status FROM bitlocker_info;",
+    "description": "BitLocker protection and encryption state for local drives.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "windows_run_keys": {
+    "query": "SELECT path as name, mtime as version, data as description, key, type FROM registry WHERE (key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\%' OR key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\%' OR key LIKE 'HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\%' OR key LIKE 'HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\%') AND type != 'subkey';",
+    "description": "Registry Run/RunOnce autostart entries commonly abused for persistence.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
   "etc_hosts": {
     "query": "SELECT * FROM etc_hosts;",
     "description": "List the contents of the Windows hosts file.",
@@ -165,7 +207,7 @@
     "componentType": "data"
   },
   "listening_ports": {
-    "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
+    "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.cmdline, process.cwd, process.uid, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
     "description": "List all processes and their listening_ports.",
     "purlType": "swid",
     "componentType": "application"

package/data/queries.json

@@ -15,7 +15,7 @@
   "chrome_extensions": {
     "query": "select chrome_extensions.* from users join chrome_extensions using (uid);",
     "description": "Retrieves the list of extensions for Chrome in the target system.",
-    "purlType": "swid",
+    "purlType": "chrome-extension",
     "componentType": "application"
   },
   "firefox_addons": {
@@ -66,6 +66,36 @@
     "purlType": "swid",
     "componentType": "data"
   },
+  "users_snapshot": {
+    "query": "SELECT username as name, uuid as version, description, directory, shell, uid, gid FROM users;",
+    "description": "Local user inventory for account and shell posture analysis.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "logged_in_users_snapshot": {
+    "query": "SELECT user as name, '' as version, type as description, pid, tty, host, time FROM logged_in_users;",
+    "description": "Interactive and remote user sessions currently active on the host.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "shell_history_snapshot": {
+    "query": "SELECT users.username as name, '' as version, shell_history.command as description, shell_history.time, shell_history.history_file, shell_history.uid FROM users JOIN shell_history USING (uid);",
+    "description": "User shell command history metadata for investigation support.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "authorized_keys_snapshot": {
+    "query": "SELECT users.username as name, authorized_keys.algorithm as version, authorized_keys.comment as description, authorized_keys.key_file, authorized_keys.options, authorized_keys.uid FROM users JOIN authorized_keys USING (uid);",
+    "description": "Authorized SSH key metadata per account without exporting key material.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "sudoers_snapshot": {
+    "query": "SELECT header as name, source as path, rule_details as description FROM sudoers;",
+    "description": "Sudo policy entries for least-privilege and privileged access review.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
   "etc_hosts": {
     "query": "SELECT * FROM etc_hosts;",
     "description": "List the contents of the Windows hosts file.",
@@ -84,6 +114,18 @@
     "purlType": "swid",
     "componentType": "data"
   },
+  "systemd_units": {
+    "query": "SELECT id as name, active_state as version, description, load_state, sub_state, unit_file_state, user, fragment_path, source_path FROM systemd_units;",
+    "description": "Systemd unit state and execution source inventory.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "etc_services": {
+    "query": "SELECT * FROM etc_services;",
+    "description": "Service-to-port mappings configured in /etc/services.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
   "behavioral_reverse_shell": {
     "query": "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';",
     "description": "Find shell processes that have open sockets.",
@@ -96,6 +138,24 @@
     "purlType": "swid",
     "componentType": "data"
   },
+  "sudo_executions": {
+    "query": "SELECT COALESCE((SELECT proc.name FROM processes AS proc WHERE proc.pid = process_events.pid), process_events.path) AS name, process_events.path, process_events.cmdline, process_events.cwd, process_events.auid, process_events.uid, process_events.euid, process_events.gid, process_events.egid, process_events.parent, process_events.pid, process_events.time, process_events.ctime, COALESCE((SELECT username FROM users WHERE uid = process_events.auid), '') AS login_user, COALESCE((SELECT username FROM users WHERE uid = process_events.uid), '') AS real_user, COALESCE((SELECT username FROM users WHERE uid = process_events.euid), '') AS effective_user, COALESCE((SELECT parent.name FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_name, COALESCE((SELECT parent.path FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_path, COALESCE((SELECT parent.cmdline FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_cmdline, COALESCE((SELECT unit.id FROM systemd_units AS unit WHERE unit.fragment_path = process_events.path OR unit.source_path = process_events.path LIMIT 1), '') AS service_unit, CASE WHEN process_events.path LIKE '/usr/bin/%' OR process_events.path LIKE '/usr/sbin/%' OR process_events.path LIKE '/bin/%' OR process_events.path LIKE '/sbin/%' THEN 'system-package-path' WHEN process_events.path LIKE '/opt/%' THEN 'optional-system-path' WHEN process_events.path LIKE '/snap/%' THEN 'snap-path' WHEN process_events.path LIKE '/home/%' OR process_events.path LIKE '/tmp/%' OR process_events.path LIKE '/var/tmp/%' OR process_events.path LIKE '/dev/shm/%' OR process_events.path LIKE '/run/user/%' THEN 'user-writable-path' ELSE 'unclassified-path' END AS package_source_hint FROM process_events WHERE (process_events.path IN ('/usr/bin/sudo', '/usr/bin/pkexec', '/usr/bin/doas', '/bin/su', '/usr/bin/su') OR process_events.cmdline LIKE 'sudo %' OR process_events.cmdline LIKE 'pkexec %' OR process_events.cmdline LIKE '% pkexec %' OR process_events.cmdline LIKE 'doas %' OR process_events.cmdline LIKE '% doas %' OR process_events.cmdline LIKE 'su %') AND process_events.cmdline NOT LIKE '%_key%' AND process_events.cmdline NOT LIKE '%secret%';",
+    "description": "Privileged execution events involving sudo, pkexec, doas, or su.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "privilege_transitions": {
+    "query": "SELECT COALESCE((SELECT proc.name FROM processes AS proc WHERE proc.pid = process_events.pid), process_events.path) AS name, process_events.path, process_events.cmdline, process_events.cwd, process_events.auid, process_events.uid, process_events.euid, process_events.gid, process_events.egid, process_events.parent, process_events.pid, process_events.time, process_events.ctime, COALESCE((SELECT username FROM users WHERE uid = process_events.auid), '') AS login_user, COALESCE((SELECT username FROM users WHERE uid = process_events.uid), '') AS real_user, COALESCE((SELECT username FROM users WHERE uid = process_events.euid), '') AS effective_user, COALESCE((SELECT parent.name FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_name, COALESCE((SELECT parent.path FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_path, COALESCE((SELECT parent.cmdline FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_cmdline, COALESCE((SELECT unit.id FROM systemd_units AS unit WHERE unit.fragment_path = process_events.path OR unit.source_path = process_events.path LIMIT 1), '') AS service_unit, CASE WHEN process_events.path LIKE '/usr/bin/%' OR process_events.path LIKE '/usr/sbin/%' OR process_events.path LIKE '/bin/%' OR process_events.path LIKE '/sbin/%' THEN 'system-package-path' WHEN process_events.path LIKE '/opt/%' THEN 'optional-system-path' WHEN process_events.path LIKE '/snap/%' THEN 'snap-path' WHEN process_events.path LIKE '/home/%' OR process_events.path LIKE '/tmp/%' OR process_events.path LIKE '/var/tmp/%' OR process_events.path LIKE '/dev/shm/%' OR process_events.path LIKE '/run/user/%' THEN 'user-writable-path' ELSE 'unclassified-path' END AS package_source_hint FROM process_events WHERE (process_events.uid != process_events.euid OR process_events.gid != process_events.egid) AND process_events.path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') AND process_events.cmdline NOT LIKE '%_key%' AND process_events.cmdline NOT LIKE '%secret%';",
+    "description": "Process executions where real and effective privileges differ.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "elevated_processes": {
+    "query": "SELECT DISTINCT process.name, process.path, process.cmdline, process.cwd, process.root, process.uid, process.gid, process.pid, process.parent, process.start_time, process.on_disk, COALESCE(users.username, '') AS account, COALESCE((SELECT parent.name FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_name, COALESCE((SELECT parent.path FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_path, COALESCE((SELECT parent.cmdline FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_cmdline, COALESCE((SELECT unit.id FROM systemd_units AS unit WHERE unit.fragment_path = process.path OR unit.source_path = process.path LIMIT 1), '') AS service_unit, CASE WHEN process.path LIKE '/usr/bin/%' OR process.path LIKE '/usr/sbin/%' OR process.path LIKE '/bin/%' OR process.path LIKE '/sbin/%' THEN 'system-package-path' WHEN process.path LIKE '/opt/%' THEN 'optional-system-path' WHEN process.path LIKE '/snap/%' THEN 'snap-path' WHEN process.path LIKE '/home/%' OR process.path LIKE '/tmp/%' OR process.path LIKE '/var/tmp/%' OR process.path LIKE '/dev/shm/%' OR process.path LIKE '/run/user/%' THEN 'user-writable-path' ELSE 'unclassified-path' END AS package_source_hint FROM processes AS process LEFT JOIN users ON process.uid = users.uid WHERE process.uid = 0 OR process.uid BETWEEN 1 AND 999;",
+    "description": "Processes running as root or service-style system accounts with lineage hints.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
   "ld_preload": {
     "query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';",
     "description": "Any processes that run with an LD_PRELOAD environment variable.",
@@ -114,6 +174,12 @@
     "purlType": "swid",
     "componentType": "data"
   },
+  "process_open_sockets": {
+    "query": "SELECT * FROM process_open_sockets WHERE remote_address NOT IN ('0.0.0.0', '::', '');",
+    "description": "Network sockets opened by processes with non-empty remote endpoints.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
   "startup_items": {
     "query": "SELECT * FROM startup_items;",
     "description": "List all startup_items.",
@@ -121,11 +187,17 @@
     "componentType": "data"
   },
   "listening_ports": {
-    "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
+    "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.cmdline, process.cwd, process.uid, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
     "description": "List all processes and their listening_ports.",
     "purlType": "swid",
     "componentType": "application"
   },
+  "privileged_listening_ports": {
+    "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.cmdline, process.cwd, process.uid, process.gid, process.on_disk, process.parent, process.start_time, COALESCE(users.username, '') AS account, COALESCE((SELECT parent.name FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_name, COALESCE((SELECT parent.path FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_path, COALESCE((SELECT parent.cmdline FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_cmdline, COALESCE((SELECT unit.id FROM systemd_units AS unit WHERE unit.fragment_path = process.path OR unit.source_path = process.path LIMIT 1), '') AS service_unit, CASE WHEN process.path LIKE '/usr/bin/%' OR process.path LIKE '/usr/sbin/%' OR process.path LIKE '/bin/%' OR process.path LIKE '/sbin/%' THEN 'system-package-path' WHEN process.path LIKE '/opt/%' THEN 'optional-system-path' WHEN process.path LIKE '/snap/%' THEN 'snap-path' WHEN process.path LIKE '/home/%' OR process.path LIKE '/tmp/%' OR process.path LIKE '/var/tmp/%' OR process.path LIKE '/dev/shm/%' OR process.path LIKE '/run/user/%' THEN 'user-writable-path' ELSE 'unclassified-path' END AS package_source_hint FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid LEFT JOIN users ON process.uid = users.uid WHERE process.uid = 0 OR process.uid BETWEEN 1 AND 999;",
+    "description": "Listening ports owned by root or service-style processes with lineage and path hints.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
   "interface_addresses": {
     "query": "SELECT * FROM interface_addresses;",
     "description": "List all interface_addresses.",