@gendigital/sage 0.4.0

package/resources/threats/win-commands.yaml

@@ -0,0 +1,785 @@
+# Windows command threat patterns for Sage
+# Author: Gen Digital Inc.
+# License: DRL-1.1 (see threats/LICENSE)
+# Covers: PowerShell download-execute (with aliases), LOLBins, destructive ops, reverse shells, privesc
+
+# --- PowerShell Download-Execute ---
+
+# Pipe to IEX: irm url | iex, iwr url | iex, curl url | iex, Invoke-WebRequest url | Invoke-Expression
+- id: "CLT-WIN-CMD-001"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\b([Ii][Rr][Mm]|[Ii][Ww][Rr]|curl|wget|[Ii]nvoke-[Ww]eb[Rr]equest|[Ii]nvoke-[Rr]est[Mm]ethod)\\b.*\\|\\s*([Ii][Ee][Xx]|[Ii]nvoke-[Ee]xpression)\\b"
+  match_on: command
+  title: "PowerShell download piped to Invoke-Expression"
+  expires_at: null
+  revoked: false
+
+# IEX wrapping download: iex(irm url), IEX((New-Object Net.WebClient).DownloadString(url))
+- id: "CLT-WIN-CMD-002"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\b([Ii][Ee][Xx]|[Ii]nvoke-[Ee]xpression)\\s*\\(?\\s*\\(?\\s*(\\b([Ii][Rr][Mm]|[Ii][Ww][Rr])\\b|[Nn]ew-[Oo]bject|[Ii]nvoke-[Ww]eb[Rr]equest|[Ii]nvoke-[Rr]est[Mm]ethod)"
+  match_on: command
+  title: "Invoke-Expression wrapping remote download"
+  expires_at: null
+  revoked: false
+
+# Start-Process with executable
+- id: "CLT-WIN-CMD-003"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "[Ss]tart-[Pp]rocess.*-[Ff]ile[Pp]ath.*\\.(exe|bat|cmd|ps1)"
+  match_on: command
+  title: "Start-Process launching executable file"
+  expires_at: null
+  revoked: false
+
+# Download to file then chain-execute: curl -o install.cmd url && install.cmd
+- id: "CLT-WIN-CMD-004"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\b(curl|wget|[Ii][Rr][Mm]|[Ii][Ww][Rr]|[Ii]nvoke-[Ww]eb[Rr]equest|[Ii]nvoke-[Rr]est[Mm]ethod)\\b[^|]*(-[Oo]\\w*\\s+|-[Oo]ut[Ff]ile\\s+)\\S+\\.(cmd|bat|ps1|exe|msi).*(&&|;)"
+  match_on: command
+  title: "Download file then chain-execute"
+  expires_at: null
+  revoked: false
+
+# .NET WebClient download
+- id: "CLT-WIN-CMD-005"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "[Nn]ew-[Oo]bject\\s+[Nn]et\\.[Ww]eb[Cc]lient.*[Dd]ownload(String|File)"
+  match_on: command
+  title: ".NET WebClient download (DownloadString/DownloadFile)"
+  expires_at: null
+  revoked: false
+
+# Start-BitsTransfer cmdlet
+- id: "CLT-WIN-CMD-006"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "[Ss]tart-[Bb]its[Tt]ransfer"
+  match_on: command
+  title: "PowerShell BITS transfer download"
+  expires_at: null
+  revoked: false
+
+# --- LOLBins (Living Off The Land Binaries) ---
+
+# certutil download/decode
+- id: "CLT-WIN-CMD-007"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "[Cc][Ee][Rr][Tt][Uu][Tt][Ii][Ll].*(-urlcache|-split|-decode)"
+  match_on: command
+  title: "certutil used for download or decode (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# bitsadmin transfer
+- id: "CLT-WIN-CMD-008"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "[Bb][Ii][Tt][Ss][Aa][Dd][Mm][Ii][Nn].*/transfer"
+  match_on: command
+  title: "bitsadmin file transfer (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# mshta remote HTA execution
+- id: "CLT-WIN-CMD-009"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "[Mm][Ss][Hh][Tt][Aa]\\s+.*https?://"
+  match_on: command
+  title: "mshta executing remote HTA file (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# regsvr32 scriptlet loading
+- id: "CLT-WIN-CMD-010"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "[Rr][Ee][Gg][Ss][Vv][Rr]32.*/[SsIi].*\\.(dll|sct)"
+  match_on: command
+  title: "regsvr32 loading DLL/scriptlet (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# rundll32 javascript execution
+- id: "CLT-WIN-CMD-011"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "[Rr][Uu][Nn][Dd][Ll][Ll]32.*javascript:"
+  match_on: command
+  title: "rundll32 executing JavaScript (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# cmstp INF install (UAC bypass)
+- id: "CLT-WIN-CMD-012"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: block
+  pattern: "[Cc][Mm][Ss][Tt][Pp].*/[AaUuSs].*\\.inf"
+  match_on: command
+  title: "cmstp INF install (UAC bypass LOLBin)"
+  expires_at: null
+  revoked: false
+
+# wmic process create
+- id: "CLT-WIN-CMD-013"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\b[Ww][Mm][Ii][Cc]\\b.*\\bprocess\\s+call\\s+create\\b"
+  match_on: command
+  title: "wmic process call create (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# msiexec remote install
+- id: "CLT-WIN-CMD-014"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\b[Mm][Ss][Ii][Ee][Xx][Ee][Cc]\\b.*/[QqIi].*https?://"
+  match_on: command
+  title: "msiexec remote MSI install (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# forfiles command execution
+- id: "CLT-WIN-CMD-015"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: block
+  pattern: "\\b[Ff][Oo][Rr][Ff][Ii][Ll][Ee][Ss]\\b.*/[Cc].*\\b(cmd|powershell)\\b"
+  match_on: command
+  title: "forfiles dispatching cmd/powershell (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# pcalua execution
+- id: "CLT-WIN-CMD-016"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: block
+  pattern: "\\b[Pp][Cc][Aa][Ll][Uu][Aa]\\b.*-a.*\\.(exe|dll)"
+  match_on: command
+  title: "pcalua executing binary (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# installutil abuse
+- id: "CLT-WIN-CMD-017"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: block
+  pattern: "\\b[Ii]nstall[Uu]til\\b.*/[Ll]og[Ff]ile="
+  match_on: command
+  title: "installutil .NET execution (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# regasm/regsvcs
+- id: "CLT-WIN-CMD-018"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: block
+  pattern: "\\b[Rr]eg[Aa]sm\\b.*/[Uu]|\\b[Rr]eg[Ss]vcs\\b"
+  match_on: command
+  title: "regasm/regsvcs .NET assembly execution (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# --- Destructive Operations ---
+
+# format drive
+- id: "CLT-WIN-CMD-019"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\b[Ff][Oo][Rr][Mm][Aa][Tt]\\s+[A-Za-z]:"
+  match_on: command
+  title: "Format drive command"
+  expires_at: null
+  revoked: false
+
+# rd /s /q recursive delete
+- id: "CLT-WIN-CMD-020"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\b(rd|rmdir)\\b\\s+/[Ss]\\s+/[Qq]\\s+[A-Za-z]:\\\\"
+  match_on: command
+  title: "Recursive forced deletion from drive root"
+  expires_at: null
+  revoked: false
+
+# del /f /s /q force delete
+- id: "CLT-WIN-CMD-021"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\b[Dd][Ee][Ll]\\b\\s+/[Ff].*\\s+/[Ss].*\\s+[A-Za-z]:\\\\"
+  match_on: command
+  title: "Force delete all files from drive root"
+  expires_at: null
+  revoked: false
+
+# diskpart
+- id: "CLT-WIN-CMD-022"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\bdiskpart\\b"
+  match_on: command
+  title: "diskpart disk partition manipulation"
+  expires_at: null
+  revoked: false
+
+# --- Reverse Shells ---
+
+# PowerShell TCP reverse shell
+- id: "CLT-WIN-CMD-023"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "[Nn]ew-[Oo]bject\\s+[Ss]ystem\\.[Nn]et\\.[Ss]ockets\\.[Tt][Cc][Pp][Cc]lient"
+  match_on: command
+  title: "PowerShell TCP reverse shell via .NET socket"
+  expires_at: null
+  revoked: false
+
+# PowerShell UDP reverse shell
+- id: "CLT-WIN-CMD-024"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "[Nn]ew-[Oo]bject\\s+[Ss]ystem\\.[Nn]et\\.[Ss]ockets\\.[Uu][Dd][Pp][Cc]lient"
+  match_on: command
+  title: "PowerShell UDP reverse shell via .NET socket"
+  expires_at: null
+  revoked: false
+
+# --- Privilege Escalation ---
+
+# runas
+- id: "CLT-WIN-CMD-025"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "\\b[Rr][Uu][Nn][Aa][Ss]\\s+/user:"
+  match_on: command
+  title: "runas with alternate user credentials"
+  expires_at: null
+  revoked: false
+
+# Set-ExecutionPolicy Bypass/Unrestricted
+- id: "CLT-WIN-CMD-026"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "[Ss]et-[Ee]xecution[Pp]olicy\\s+([Bb]ypass|[Uu]nrestricted)"
+  match_on: command
+  title: "Disabling PowerShell execution policy"
+  expires_at: null
+  revoked: false
+
+# fodhelper UAC bypass
+- id: "CLT-WIN-CMD-027"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: block
+  pattern: "\\b[Ff]od[Hh]elper\\b"
+  match_on: command
+  title: "fodhelper.exe UAC bypass"
+  expires_at: null
+  revoked: false
+
+# --- PowerShell Destructive Operations ---
+
+# Remove-Item -Recurse -Force
+- id: "CLT-WIN-CMD-028"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\bRemove-Item\\b.*-Recurse.*-Force|\\bRemove-Item\\b.*-Force.*-Recurse"
+  match_on: command
+  title: "PowerShell recursive forced deletion (Remove-Item -Recurse -Force)"
+  expires_at: null
+  revoked: false
+
+# Clear-RecycleBin -Force
+- id: "CLT-WIN-CMD-029"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "\\bClear-RecycleBin\\b.*-Force"
+  match_on: command
+  title: "PowerShell destructive recycle bin cleanup"
+  expires_at: null
+  revoked: false
+
+# --- Additional Reverse Shells ---
+
+# ncat reverse shell
+- id: "CLT-WIN-CMD-030"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\bncat\\b.*\\s-e\\s+(cmd|powershell|cmd\\.exe|powershell\\.exe)"
+  match_on: command
+  title: "Reverse shell via ncat -e cmd/powershell"
+  expires_at: null
+  revoked: false
+
+# --- Shadow Copy / Recovery Destruction (Ransomware Indicators) ---
+
+# vssadmin delete shadows
+- id: "CLT-WIN-CMD-031"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\bvssadmin\\b.*\\bdelete\\s+shadows\\b"
+  case_insensitive: true
+  match_on: command
+  title: "Shadow copy deletion via vssadmin (ransomware indicator)"
+  expires_at: null
+  revoked: false
+
+# wmic shadowcopy delete
+- id: "CLT-WIN-CMD-032"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\bwmic\\b.*\\bshadowcopy\\b.*\\bdelete\\b"
+  match_on: command
+  title: "Shadow copy deletion via wmic (ransomware indicator)"
+  expires_at: null
+  revoked: false
+
+# bcdedit recovery disable
+- id: "CLT-WIN-CMD-033"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\bbcdedit\\b.*/set\\b.*\\b(recoveryenabled\\b.*\\b(No|no|NO|false|0)|bootems\\s+off|advancedoptions\\s+off|optionsedit\\s+off)\\b|\\breg\\b.*\\bdelete\\b.*\\bSYSTEM\\\\.*CurrentControlSet\\\\Control\\\\SafeBoot\\b|\\breg\\b.*\\badd\\b.*\\bSOFTWARE\\\\.*Microsoft\\\\Windows NT\\\\.*CurrentVersion\\\\Winlogon\\b.*/v.*Userinit"
+  match_on: command
+  title: "Recovery/boot disable via bcdedit, SafeBoot reg delete, or Winlogon Userinit (ransomware indicator)"
+  expires_at: null
+  revoked: false
+
+# PowerShell WMI/CIM shadow copy deletion
+- id: "CLT-WIN-CMD-034"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\b(Get-WmiObject|Get-CimInstance)\\b.*\\bWin32_ShadowCopy\\b.*\\b(Remove-WmiObject|Remove-CimInstance|Delete)\\b"
+  match_on: command
+  title: "PowerShell shadow copy deletion (ransomware indicator)"
+  expires_at: null
+  revoked: false
+
+# --- Defense Evasion / Anti-Forensics ---
+
+# wevtutil event log clearing
+- id: "CLT-WIN-CMD-035"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\bwevtutil\\b.*\\b(cl|clear-log)\\b"
+  match_on: command
+  title: "Windows event log clearing via wevtutil (anti-forensics)"
+  expires_at: null
+  revoked: false
+
+# PowerShell event log clearing
+- id: "CLT-WIN-CMD-036"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\b(Clear-EventLog|Remove-EventLog)\\b"
+  match_on: command
+  title: "PowerShell event log clearing (anti-forensics)"
+  expires_at: null
+  revoked: false
+
+# Set-MpPreference Defender disable
+- id: "CLT-WIN-CMD-037"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\b(Set|Add)-MpPreference\\b.*(-Disable|-Exclusion)"
+  match_on: command
+  title: "Windows Defender settings modification via Set/Add-MpPreference"
+  expires_at: null
+  revoked: false
+
+# Security service tampering
+- id: "CLT-WIN-CMD-038"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\b(sc\\s+(stop|config)|net\\s+stop|Stop-Service)\\b.*\\b(WinDefend|MpsSvc|wscsvc|SecurityHealthService)\\b"
+  match_on: command
+  title: "Security service tampering (WinDefend/firewall service stop/disable)"
+  expires_at: null
+  revoked: false
+
+# netsh firewall disable
+- id: "CLT-WIN-CMD-039"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\bnetsh\\b.*\\badvfirewall\\b.*\\bstate\\s+off\\b"
+  match_on: command
+  title: "Windows Firewall disabling via netsh"
+  expires_at: null
+  revoked: false
+
+# --- Data Exfiltration Indicators ---
+
+# Password-protected archive creation
+- id: "CLT-WIN-CMD-040"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "\\b(rar|winrar)(\\.exe)?\\b.*\\s-h?p|\\b(7z|7za)(\\.exe)?\\b.*\\s-p|\\bzip\\b.*\\s(-P\\s|--password\\b)"
+  match_on: command
+  title: "Password-protected archive creation (potential data exfiltration)"
+  expires_at: null
+  revoked: false
+
+# Bulk document archiving with wildcards
+- id: "CLT-WIN-CMD-041"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "\\b(rar|winrar|7z|7za|zip|tar)(\\.exe)?\\b.*\\*\\.(docx?|xlsx?|pptx?|pdf|csv)\\b"
+  match_on: command
+  title: "Bulk document archiving with wildcards (data exfiltration indicator)"
+  expires_at: null
+  revoked: false
+
+# --- AutoIt3 Script Execution (malware delivery) ---
+
+# AutoIt3 /AutoIt3ExecuteScript flag — prevalent malware delivery mechanism
+- id: "CLT-WIN-CMD-042"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "/AutoIt3ExecuteScript"
+  case_insensitive: true
+  match_on: command
+  title: "AutoIt3 script execution (common malware delivery)"
+  expires_at: null
+  revoked: false
+
+# --- Suspicious Script Execution Locations ---
+
+# wscript/cscript executing scripts from C:\Users\Public (world-writable staging)
+- id: "CLT-WIN-CMD-043"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "(wscript|cscript)(\\.exe)?\\b.*\\\\Users\\\\Public\\\\"
+  case_insensitive: true
+  match_on: command
+  title: "Script execution from C:\\Users\\Public (suspicious staging location)"
+  expires_at: null
+  revoked: false
+
+# --- Additional LOLBins ---
+
+# regsvr32 /i: with remote URL (Squiblydoo — shellcode or scrobj.dll variant)
+- id: "CLT-WIN-CMD-044"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "regsvr32(\\.exe)?\\b.*/[Ii]:[^\\s]*https?://"
+  case_insensitive: true
+  match_on: command
+  title: "regsvr32 /i: with remote URL (Squiblydoo attack)"
+  expires_at: null
+  revoked: false
+
+# cmdl32.exe Connection Manager Profile Installer abuse
+- id: "CLT-WIN-CMD-045"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "\\bcmdl32(\\.exe)?\\b"
+  case_insensitive: true
+  match_on: command
+  title: "cmdl32.exe Connection Manager abuse (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# --- Download-Execute Chain (single & separator) ---
+
+# curl/wget download to file then start (single & in cmd.exe)
+- id: "CLT-WIN-CMD-046"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\b(curl|wget)\\b[^&]*(--(output|o\\b)|-o\\b)[^&]*&\\s*(start\\b|cmd)"
+  case_insensitive: true
+  match_on: command
+  title: "Download file then execute via cmd start (download-execute chain)"
+  expires_at: null
+  revoked: false
+
+# Shadow copy resize + VSS/SystemRestore disable + wbadmin backup deletion (ex CLT-TECH-005)
+- id: "CLT-WIN-CMD-047"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(vssadmin.*resize.*shadowstorage|net.*stop.*swprv|reg.*add.*HKLM.*SOFTWARE.*Microsoft.*Windows NT.*CurrentVersion.*SystemRestore.*/v.*DisableSR.*/t.*REG_DWORD.*/d.*1.*/f|reg.*add.*HKLM.*SYSTEM.*CurrentControlSet.*services.*VSS.*/v.*Start.*/t.*REG_DWORD.*/d.*4.*/f|wbadmin.*delete.*catalog|wbadmin.*delete.*systemstatebackup)"
+  case_insensitive: true
+  match_on: command
+  title: "Shadow copy/VSS/SystemRestore disable or wbadmin backup deletion"
+  expires_at: null
+  revoked: false
+
+# Legacy firewall disable via netsh opmode (ex CLT-TECH-007, MpsSvc parts covered by CLT-WIN-CMD-038)
+- id: "CLT-WIN-CMD-048"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "netsh\\s+firewall\\s+set\\s+opmode\\s+mode[= ]+DISABLE"
+  case_insensitive: true
+  match_on: command
+  title: "Legacy firewall disable via netsh opmode (pre-Vista)"
+  expires_at: null
+  revoked: false
+
+# Firewall exclusion: add allowed program (ex CLT-TECH-008)
+- id: "CLT-WIN-CMD-049"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(netsh\\s+firewall.+add.+allowedprogram.+ENABLE|netsh.+advfirewall.+firewall.+add.+rule.+name.+program|netsh\\s+advfirewall\\s+firewall.+allow.+program.+enable[= ]+yes)"
+  case_insensitive: true
+  match_on: command
+  title: "Excluding program from firewall detection via netsh"
+  expires_at: null
+  revoked: false
+
+# AppLocker bypass via regsvr32 /i:http (ex CLT-TECH-006)
+- id: "CLT-WIN-CMD-050"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "regsvr32.+i:\\s*http"
+  case_insensitive: true
+  match_on: command
+  title: "AppLocker bypass via regsvr32 /i:http"
+  expires_at: null
+  revoked: false
+
+# Mavinject DLL injection (ex CLT-TECH-009)
+- id: "CLT-WIN-CMD-051"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(\\\\|/)Mavinject(64|32)\\.exe"
+  case_insensitive: true
+  match_on: command
+  title: "Mavinject DLL injection (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# PyDev inject_dll injection (ex CLT-TECH-010)
+- id: "CLT-WIN-CMD-052"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(\\\\|/)inject_dll_(x86|amd64)\\.exe"
+  case_insensitive: true
+  match_on: command
+  title: "PyDev inject_dll injection (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# PowerShdll execution (ex CLT-TECH-028)
+- id: "CLT-WIN-CMD-053"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(rundll32\\.exe PowerShdll\\.dll,main|POWERSHDLL\\.(DLL|EXE))"
+  case_insensitive: true
+  match_on: command
+  title: "PowerShdll execution (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# SyncAppvPublishingServer execution (ex CLT-TECH-030)
+- id: "CLT-WIN-CMD-054"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "SyncAppvPublishingServer\\.vbs \".*(iwr|iex)"
+  case_insensitive: true
+  match_on: command
+  title: "Execution via SyncAppvPublishingServer (LOLBin)"
+  expires_at: null
+  revoked: false
+
+# sdclt/CompMgmtLauncher UAC bypass (ex CLT-TECH-033)
+- id: "CLT-WIN-CMD-055"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(sdclt\\.exe|CompMgmtLauncher\\.exe)"
+  case_insensitive: true
+  match_on: command
+  title: "UAC bypass via sdclt or CompMgmtLauncher"
+  expires_at: null
+  revoked: false
+
+# PowerShell fileless execution via iex $env (ex CLT-TECH-017)
+- id: "CLT-WIN-CMD-056"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "powershell.*iex.*\\$env"
+  case_insensitive: true
+  match_on: command
+  title: "PowerShell fileless execution via iex $env"
+  expires_at: null
+  revoked: false
+
+# PowerShell version downgrade (ex CLT-TECH-018)
+- id: "CLT-WIN-CMD-057"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "powershell.*-Version"
+  case_insensitive: true
+  match_on: command
+  title: "PowerShell version downgrade attack"
+  expires_at: null
+  revoked: false
+
+# PowerShell download cradle iex+downloadstring (ex CLT-TECH-023)
+- id: "CLT-WIN-CMD-058"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(powershell.*(iex|invoke-expression).*downloadstring|powershell.*Start-BitsTransfer.*(iex|invoke-expression)|powershell.*xmlhttp.*send.*(iex|invoke-expression))"
+  case_insensitive: true
+  match_on: command
+  title: "PowerShell download cradle (iex+downloadstring)"
+  expires_at: null
+  revoked: false
+
+# PowerShell Reflection.Assembly Load (ex CLT-TECH-024)
+- id: "CLT-WIN-CMD-059"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "powershell.+\\[Reflection\\.Assembly\\]::Load"
+  case_insensitive: true
+  match_on: command
+  title: "PowerShell Reflection.Assembly Load"
+  expires_at: null
+  revoked: false
+
+# PowerShell certificate validation bypass (ex CLT-TECH-025)
+- id: "CLT-WIN-CMD-060"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "powershell.+ServerCertificateValidationCallback\\s*=\\s*\\{\\s*\\$true\\s*\\}"
+  case_insensitive: true
+  match_on: command
+  title: "PowerShell certificate validation bypass"
+  expires_at: null
+  revoked: false
+
+# PowerShell GetTypeFromCLSID (ex CLT-TECH-029)
+- id: "CLT-WIN-CMD-061"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "powershell.+GetTypeFromCLSID"
+  case_insensitive: true
+  match_on: command
+  title: "PowerShell GetTypeFromCLSID usage"
+  expires_at: null
+  revoked: false