@gendigital/sage 0.4.0

package/resources/threats/mitre.yaml

@@ -0,0 +1,810 @@
+# MITRE ATT&CK threat detection patterns for Sage
+# Author: Gen Digital Inc.
+# License: DRL-1.1 (see threats/LICENSE)
+# Schema: id, category, severity, confidence, action, pattern, match_on, title, expires_at, revoked
+
+# --- T1003.001: LSASS Memory ---
+- id: "CLT-MITRE-001"
+  category: credential_access
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(rundll32(\\.exe)?.*comsvcs\\.dll,MiniDump.*|procdump.*-ma.*lsass\\.exe.*lsass_dump|sekurlsa::Minidump.*lsassdump\\.dmp|sekurlsa::logonPasswords)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1003.001 - LSASS Memory"
+  expires_at: null
+  revoked: false
+
+# --- T1003.002: Security Account Manager ---
+- id: "CLT-MITRE-002"
+  category: credential_access
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(reg.*save.*HKLM.*sam.*sam|reg.*save.*HKLM.*system.*system)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1003.002 - Security Account Manager"
+  expires_at: null
+  revoked: false
+
+# --- T1003.003: NTDS ---
+- id: "CLT-MITRE-003"
+  category: credential_access
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "ntdsutil(\\.exe)?"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1003.003 - NTDS"
+  expires_at: null
+  revoked: false
+
+# --- T1003.004: LSA Secrets ---
+- id: "CLT-MITRE-004"
+  category: credential_access
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "Get-LSASecret\\.ps1"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1003.004 - LSA Secrets"
+  expires_at: null
+  revoked: false
+
+# --- T1003.005: Cached Domain Credentials ---
+- id: "CLT-MITRE-005"
+  category: credential_access
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "cmdkey(\\.exe)?.*/list"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1003.005 - Cached Domain Credentials"
+  expires_at: null
+  revoked: false
+
+# --- T1003.006: DC Sync ---
+- id: "CLT-MITRE-006"
+  category: credential_access
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "Invoke-Mimikatz.*-Command.*lsadump::dcsync.*/user:"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1003.006 - DC Sync"
+  expires_at: null
+  revoked: false
+
+# --- T1003: OS Credential Dumping ---
+- id: "CLT-MITRE-007"
+  category: credential_access
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(reg(\\.exe)? (save|export).*SAM|(PasswordDump|CreateMiniDump)|Invoke-PowerDump\\.ps1|Get-PassHashes\\.ps1|Get-RegAutoLogon\\.ps1)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1003 - OS Credential Dumping"
+  expires_at: null
+  revoked: false
+
+# --- T1020: Automated Exfiltration ---
+- id: "CLT-MITRE-012"
+  category: exfiltration
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(rar(\\.exe)?.*[afu].*(-dw|-tb|-ta)|7z(\\.exe)?.*[au].*-sdel|Add-Exfiltration\\.ps1|Do-Exfiltration\\.ps1|Invoke-PostExfil\\.ps1)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1020 - Automated Exfiltration"
+  expires_at: null
+  revoked: false
+
+# --- T1021.003: Distributed Component Object Model ---
+- id: "CLT-MITRE-014"
+  category: lateral_movement
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "Invoke-DCOM.*\\-ComputerName"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1021.003 - Distributed Component Object Model"
+  expires_at: null
+  revoked: false
+
+# --- T1027.003: Steganography ---
+- id: "CLT-MITRE-016"
+  category: defense_evasion
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(Invoke-PSImage.*-Script|Invoke-PSImage)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1027.003 - Steganography"
+  expires_at: null
+  revoked: false
+
+# --- T1027.005: Indicator Removalfrom Tools ---
+- id: "CLT-MITRE-017"
+  category: defense_evasion
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "Find-AVSignature.*-Startbyte"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1027.005 - Indicator Removalfrom Tools"
+  expires_at: null
+  revoked: false
+
+# --- T1040: Network Sniffing ---
+- id: "CLT-MITRE-020"
+  category: credential_access
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "netsh(\\.exe)?.*start.*trace"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1040 - Network Sniffing"
+  expires_at: null
+  revoked: false
+
+# --- T1046: Network Service Scanning ---
+- id: "CLT-MITRE-022"
+  category: discovery
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(telnet(\\.exe)?|nmap(\\.exe)?|Invoke-ARPScan\\.ps1|Invoke-PortScan\\.ps1|Invoke-SMBScanner\\.ps1|Port-Scan\\.ps1)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1046 - Network Service Scanning"
+  expires_at: null
+  revoked: false
+
+# --- T1048: Exfiltration Over Alternative Protocol ---
+- id: "CLT-MITRE-023"
+  category: exfiltration
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(dnscat2|iodine)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1048 - Exfiltration Over Alternative Protocol"
+  expires_at: null
+  revoked: false
+
+# --- T1053.005: Scheduled Task ---
+- id: "CLT-MITRE-026"
+  category: persistence
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(schtasks(\\.exe)?\\s+/create|schtasks(\\.exe)?\\s+/%windir:~0,1%reate|at\\.exe)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1053.005 - Scheduled Task"
+  expires_at: null
+  revoked: false
+
+# --- T1055.001: Dynamiclink Library Injection ---
+- id: "CLT-MITRE-027"
+  category: defense_evasion
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "Invoke-DllInjection\\.ps1"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1055.001 - Dynamiclink Library Injection"
+  expires_at: null
+  revoked: false
+
+# --- T1069: Permission Groups Discovery ---
+- id: "CLT-MITRE-032"
+  category: discovery
+  severity: medium
+  confidence: 0.70
+  action: require_approval
+  pattern: "Get-ManagementRoleAssignment"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1069 - Permission Groups Discovery"
+  expires_at: null
+  revoked: false
+
+# --- T1070.004: File Deletion ---
+- id: "CLT-MITRE-033"
+  category: defense_evasion
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(cmd(\\.exe)?\\s+/c\\s+del\\s+/[sqf]|fsutil(\\.exe)?.*usn.*deleteJournal)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1070.004 - File Deletion"
+  expires_at: null
+  revoked: false
+
+# --- T1070.005: Network Share Connection Removal ---
+- id: "CLT-MITRE-034"
+  category: defense_evasion
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "net(1)?(\\.exe)?.*use.*\\\\\\\\.*\\\\.*/delete$"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1070.005 - Network Share Connection Removal"
+  expires_at: null
+  revoked: false
+
+# --- T1087.002: Domain Account ---
+- id: "CLT-MITRE-037"
+  category: discovery
+  severity: medium
+  confidence: 0.70
+  action: require_approval
+  pattern: "(net1.*user.*/dom|net(\\.exe)?.*user.*/dom|net1.*group.*/dom|net(\\.exe)?.*group.*/dom)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1087.002 - Domain Account"
+  expires_at: null
+  revoked: false
+
+# --- T1087.003: Email Account ---
+- id: "CLT-MITRE-038"
+  category: discovery
+  severity: medium
+  confidence: 0.70
+  action: require_approval
+  pattern: "Get-.*GlobalAddressList"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1087.003 - Email Account"
+  expires_at: null
+  revoked: false
+
+# --- T1098.002: Exchange Email Delegate Permissions ---
+- id: "CLT-MITRE-039"
+  category: persistence
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "Add-MailboxPermission"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1098.002 - Exchange Email Delegate Permissions"
+  expires_at: null
+  revoked: false
+
+# --- T1098: Account Manipulation ---
+- id: "CLT-MITRE-040"
+  category: persistence
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(net(1|\\.exe)?.*user.*\\w+.*/add|net(1|\\.exe)?.*group.*Administrators.*\\w+ /add|net(1|\\.exe)?.*localgroup.*Administrators.*\\w+ /add)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1098 - Account Manipulation"
+  expires_at: null
+  revoked: false
+
+# --- T1105: Ingress Tool Transfer ---
+- id: "CLT-MITRE-041"
+  category: command_and_control
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(certutil(\\.exe)?.*-(decode|decodehex|encode|ping|url|urlcache|verifyctl)|MpCmdRun(\\.exe)?.*-DownloadFile.*-url.*http|\\(new-object System\\.Net\\.WebClient\\)\\.DownloadFile|bitsadmin(\\.exe)?.*/(transfer|download|create|addfile|setnotifycmdline|resume|complete)|Start-BitsTransfer)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1105 - Ingress Tool Transfer"
+  expires_at: null
+  revoked: false
+
+# --- T1110.004: Credential Stuffing ---
+- id: "CLT-MITRE-042"
+  category: credential_access
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "Invoke-CredentialInjection\\.ps1"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1110.004 - Credential Stuffing"
+  expires_at: null
+  revoked: false
+
+# --- T1120: Peripheral Device Discovery ---
+- id: "CLT-MITRE-043"
+  category: discovery
+  severity: medium
+  confidence: 0.70
+  action: require_approval
+  pattern: "(Get-WMIObject.*Win32_PnPEntity|pnputil(\\.exe)?.*/enum-devices)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1120 - Peripheral Device Discovery"
+  expires_at: null
+  revoked: false
+
+# --- T1136.001: Local Account ---
+- id: "CLT-MITRE-048"
+  category: persistence
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "net(1)?(\\.exe)?.*user.*/add"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1136.001 - Local Account"
+  expires_at: null
+  revoked: false
+
+# --- T1136.002: Domain Account ---
+- id: "CLT-MITRE-049"
+  category: persistence
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "net(1)?(\\.exe)?.*user.*/add.*/domain"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1136.002 - Domain Account"
+  expires_at: null
+  revoked: false
+
+# --- T1201: Password Policy Discovery ---
+- id: "CLT-MITRE-050"
+  category: discovery
+  severity: medium
+  confidence: 0.70
+  action: require_approval
+  pattern: "(net.*accounts|Get-ADDefaultDomainPasswordPolicy|Get-PassPol)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1201 - Password Policy Discovery"
+  expires_at: null
+  revoked: false
+
+# --- T1202: Indirect Command Execution ---
+- id: "CLT-MITRE-051"
+  category: defense_evasion
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(regsvr32(\\.exe)?.*/i:http(s)?://.+.*scrobj\\.dll|rundll32(\\.exe)?.*pcwutl\\.dll,LaunchApplication|rundll32(\\.exe)?.*shell32\\.dll,ShellExec_RunDLL|rundll32(\\.exe)?.*url\\.dll,OpenURL|msiexec(\\.exe)?.*-(Y|Z)|regasm(\\.exe)?.*/u.*\\\\)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1202 - Indirect Command Execution"
+  expires_at: null
+  revoked: false
+
+# --- T1203: Exploitationfor Client Execution ---
+- id: "CLT-MITRE-052"
+  category: execution
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(p\\^+o\\^+w\\^+e\\^+r\\^+s\\^+h\\^+e\\^+l\\^+l|w\\^+s\\^+c\\^+r\\^+i\\^+p\\^+t|c\\^+e\\^+r\\^+t\\^+u\\^+t\\^+i\\^+l|m\\^+s\\^+h\\^+t\\^+a|explorer\\.exe .*\\.vbs$)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1203 - Exploitationfor Client Execution"
+  expires_at: null
+  revoked: false
+
+# --- T1216.001: Pub Prn ---
+- id: "CLT-MITRE-053"
+  category: defense_evasion
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "pubprn\\.vbs"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1216.001 - Pub Prn"
+  expires_at: null
+  revoked: false
+
+# --- T1218.012: Verclsid ---
+- id: "CLT-MITRE-064"
+  category: defense_evasion
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "verclsid(\\.exe)?.*/S.*/C.*\\{[0-9a-fA-F]{8}"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1218.012 - Verclsid"
+  expires_at: null
+  revoked: false
+
+# --- T1220: XSL Script Processing ---
+- id: "CLT-MITRE-065"
+  category: defense_evasion
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(msxsl(\\.exe)?.+\\.xsl|wmic(\\.exe)?.*process.*list.*/FORMAT:.+\\.xsl|wmic(\\.exe)?.*os.*get.*/FORMAT:.+\\.xsl|wmic.*process.*list.*/FORMAT:evil\\[\\.\\]xsl|wmic.*os.*get.*/FORMAT:https\\[:\\]//example\\[\\.\\]com/evil\\[\\.\\]xsl)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1220 - XSL Script Processing"
+  expires_at: null
+  revoked: false
+
+# --- T1482: Domain Trust Discovery ---
+- id: "CLT-MITRE-066"
+  category: discovery
+  severity: medium
+  confidence: 0.70
+  action: require_approval
+  pattern: "(nltest(\\.exe)?.*/domain_trusts|dsquery(\\.exe)?.*/trustedDomain|Get-NetDomainTrust|Get-NetForestTrust|Get-ADDomain)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1482 - Domain Trust Discovery"
+  expires_at: null
+  revoked: false
+
+# --- T1484.001: Group Policy Modification ---
+- id: "CLT-MITRE-067"
+  category: defense_evasion
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(New-GPOImmediateTask|New-.*GPOImmediateTask)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1484.001 - Group Policy Modification"
+  expires_at: null
+  revoked: false
+
+# --- T1518.001: Security Software Discovery ---
+- id: "CLT-MITRE-071"
+  category: discovery
+  severity: medium
+  confidence: 0.70
+  action: require_approval
+  pattern: "(tasklist(\\.exe)?.+(virus|defender|cylance)|wmic(\\.exe)?.+Path.*AntiVirusProduct)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1518.001 - Security Software Discovery"
+  expires_at: null
+  revoked: false
+
+# --- T1518: Software Discovery ---
+- id: "CLT-MITRE-072"
+  category: discovery
+  severity: medium
+  confidence: 0.70
+  action: require_approval
+  pattern: "wmic(\\.exe)? product get name"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1518 - Software Discovery"
+  expires_at: null
+  revoked: false
+
+# --- T1546.001: Change Default File Association ---
+- id: "CLT-MITRE-075"
+  category: persistence
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "cmd(\\.exe)?.*/c.+assoc"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1546.001 - Change Default File Association"
+  expires_at: null
+  revoked: false
+
+# --- T1546.003: Windows Management Instrumentation Event Subscription ---
+- id: "CLT-MITRE-076"
+  category: persistence
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "scrcons\\.exe"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1546.003 - Windows Management Instrumentation Event Subscription"
+  expires_at: null
+  revoked: false
+
+# --- T1546.007: Netsh Helper DLL ---
+- id: "CLT-MITRE-077"
+  category: persistence
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "netsh\\.exe add helper"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1546.007 - Netsh Helper DLL"
+  expires_at: null
+  revoked: false
+
+# --- T1546.012: Image File Execution Options Injection ---
+- id: "CLT-MITRE-078"
+  category: persistence
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(Add-ScrnSaveBackdoor\\.ps1|Add-RegBackdoor\\.ps1)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1546.012 - Image File Execution Options Injection"
+  expires_at: null
+  revoked: false
+
+# --- T1547: Bootor Logon Autostart Execution ---
+- id: "CLT-MITRE-081"
+  category: persistence
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "Add-Persistence\\.ps1"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1547 - Bootor Logon Autostart Execution"
+  expires_at: null
+  revoked: false
+
+# --- T1548.002: Bypass User Account Control ---
+- id: "CLT-MITRE-082"
+  category: privilege_escalation
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(Invoke-BypassUAC\\.ps1|Invoke-WScriptBypassUAC\\.ps1|Add-MpPreference\\.ps1)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1548.002 - Bypass User Account Control"
+  expires_at: null
+  revoked: false
+
+# --- T1552.002: Credentialsin Registry ---
+- id: "CLT-MITRE-083"
+  category: credential_access
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "reg(\\.exe)? query (HKLM|HKCU) /f password /t REG_SZ /s"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1552.002 - Credentialsin Registry"
+  expires_at: null
+  revoked: false
+
+# --- T1553.004: Install Root Certificate ---
+- id: "CLT-MITRE-085"
+  category: defense_evasion
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(certutil(\\.exe)? -addstore|certmgr(\\.exe)? -add)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1553.004 - Install Root Certificate"
+  expires_at: null
+  revoked: false
+
+# --- T1555.003: Credentialsfrom Web Browsers ---
+- id: "CLT-MITRE-086"
+  category: credential_access
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(Get-ChromeDump\\.ps1|Get-FoxDump\\.ps1)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1555.003 - Credentialsfrom Web Browsers"
+  expires_at: null
+  revoked: false
+
+# --- T1555: Credentialsfrom Password Stores ---
+- id: "CLT-MITRE-087"
+  category: credential_access
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "Get-VaultCredential\\.ps1"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1555 - Credentialsfrom Password Stores"
+  expires_at: null
+  revoked: false
+
+# --- T1558.001: Golden Ticket ---
+- id: "CLT-MITRE-088"
+  category: credential_access
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(net(1)?(\\.exe)?.*group.*(domain admins|enterprise admins|organization management).*/domain$|Invoke-Mimikatz.*Golden.*Ticket)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1558.001 - Golden Ticket"
+  expires_at: null
+  revoked: false
+
+# --- T1558.002: Silver Ticket ---
+- id: "CLT-MITRE-089"
+  category: credential_access
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "Invoke-Mimikatz.*Silver.*Ticket"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1558.002 - Silver Ticket"
+  expires_at: null
+  revoked: false
+
+# --- T1558.003: Kerberoasting ---
+- id: "CLT-MITRE-090"
+  category: credential_access
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "Invoke-Kerberoast"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1558.003 - Kerberoasting"
+  expires_at: null
+  revoked: false
+
+# --- T1558.004: ASREP Roasting ---
+- id: "CLT-MITRE-091"
+  category: credential_access
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "Get-ASREPHash"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1558.004 - ASREP Roasting"
+  expires_at: null
+  revoked: false
+
+# --- T1560.001: Archive Via Utility ---
+- id: "CLT-MITRE-092"
+  category: collection
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(\\brar(\\.exe)?\\s+.*\\b[afu]\\b|\\bWinRAR(\\.exe)?\\s|\\b7z(\\.exe)?\\s+.*\\ba\\b|\\bzip(\\.exe)?\\s+.*-u|\\bWinZip32(\\.exe)?\\s)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1560.001 - Archive Via Utility"
+  expires_at: null
+  revoked: false
+
+# --- T1562.002: Disable Windows Event Logging ---
+- id: "CLT-MITRE-093"
+  category: defense_evasion
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "AUDITPOL(\\.exe)?.*/set.*/category:Detailed Tracking"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1562.002 - Disable Windows Event Logging"
+  expires_at: null
+  revoked: false
+
+# --- T1562.003: Impair Command History Logging ---
+- id: "CLT-MITRE-094"
+  category: defense_evasion
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(Set-.*PSReadLineOption.*-HistorySavePath.*\\{File.*Path\\}|Set-PSReadlineOption.*-HistorySaveStyle.*SaveNothing)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1562.003 - Impair Command History Logging"
+  expires_at: null
+  revoked: false
+
+# --- T1562.006: Indicator Blocking ---
+- id: "CLT-MITRE-095"
+  category: defense_evasion
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(wevtutil(\\.exe)?.*(sl|set-log).+/e:false|wevtutil(\\.exe)?.*(cl|clear-log)|Set-.*EtwTraceProvider)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1562.006 - Indicator Blocking"
+  expires_at: null
+  revoked: false
+
+# --- T1563.002: RDP Hijacking ---
+- id: "CLT-MITRE-096"
+  category: lateral_movement
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "tscon(\\.exe)?.*$"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1563.002 - RDP Hijacking"
+  expires_at: null
+  revoked: false
+
+# --- T1567.001: Exfiltrationto Code Repository ---
+- id: "CLT-MITRE-099"
+  category: exfiltration
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "Invoke-ExfilDataToGitHub"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1567.001 - Exfiltrationto Code Repository"
+  expires_at: null
+  revoked: false
+
+# --- T1567.002: Exfiltrationto Cloud Storage ---
+- id: "CLT-MITRE-100"
+  category: exfiltration
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "Invoke-DropboxUpload"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1567.002 - Exfiltrationto Cloud Storage"
+  expires_at: null
+  revoked: false
+
+# --- T1569: System Services ---
+- id: "CLT-MITRE-102"
+  category: execution
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(subinacl(\\.exe) /service|sc(\\.exe)? sdset)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1569 - System Services"
+  expires_at: null
+  revoked: false
+
+# --- T1592.002: Software ---
+- id: "CLT-MITRE-104"
+  category: reconnaissance
+  severity: medium
+  confidence: 0.70
+  action: require_approval
+  pattern: "(powershell(\\.exe)?.*-Class.*AntiVirusProduct|powershell(\\.exe)?.*path.*AntiVirusProduct)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1592.002 - Software"
+  expires_at: null
+  revoked: false
+
+# --- T1592.004: Client Configurations ---
+- id: "CLT-MITRE-105"
+  category: reconnaissance
+  severity: medium
+  confidence: 0.70
+  action: require_approval
+  pattern: "(powershell(\\.exe)?.*-Class.*Win32_UserAccount|powershell(\\.exe)?.*Get-SmbShare)"
+  case_insensitive: true
+  match_on: command
+  title: "MITRE ATT&CK T1592.004 - Client Configurations"
+  expires_at: null
+  revoked: false