@gendigital/sage 0.4.0

package/resources/threats/win-credentials.yaml

@@ -0,0 +1,112 @@
+# Windows credential exposure threat patterns for Sage
+# Author: Gen Digital Inc.
+# License: DRL-1.1 (see threats/LICENSE)
+
+# cmdkey stored credentials
+- id: "CLT-WIN-CRED-001"
+  category: secrets
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "\\b[Cc]mdkey\\s+/add:"
+  match_on: command
+  title: "Stored credential creation via cmdkey"
+  expires_at: null
+  revoked: false
+
+# ConvertTo-SecureString with plaintext
+- id: "CLT-WIN-CRED-002"
+  category: secrets
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "[Cc]onvert[Tt]o-[Ss]ecure[Ss]tring.*-[Aa]s[Pp]lain[Tt]ext"
+  match_on: command
+  title: "ConvertTo-SecureString with plaintext password"
+  expires_at: null
+  revoked: false
+
+# Reading credential files on Windows (type, more, Get-Content)
+- id: "CLT-WIN-CRED-003"
+  category: secrets
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "\\b(type|more|[Gg]et-[Cc]ontent)\\b.*\\.(env|credentials|pgpass|netrc)"
+  match_on: command
+  title: "Reading credential file via type/more/Get-Content"
+  expires_at: null
+  revoked: false
+
+# [Environment]::SetEnvironmentVariable with credential keyword
+- id: "CLT-WIN-CRED-004"
+  category: secrets
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "\\[Environment\\]::SetEnvironmentVariable.*([Pp]assword|[Ss]ecret|[Tt]oken|[Kk]ey)"
+  match_on: command
+  title: "Setting credential environment variable via .NET"
+  expires_at: null
+  revoked: false
+
+# $env: credential assignment
+- id: "CLT-WIN-CRED-005"
+  category: secrets
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "\\$env:.*([Pp]assword|[Ss]ecret|[Tt]oken|[Aa]pi_?[Kk]ey)\\s*="
+  match_on: command
+  title: "PowerShell $env: credential variable assignment"
+  expires_at: null
+  revoked: false
+
+# Mimikatz / sekurlsa
+- id: "CLT-WIN-CRED-006"
+  category: secrets
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "[Mm]imikatz|[Ss]ekurlsa::"
+  match_on: command
+  title: "Mimikatz credential dumping tool"
+  expires_at: null
+  revoked: false
+
+# Registry hive export for credential theft
+- id: "CLT-WIN-CRED-007"
+  category: secrets
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\breg\\s+save\\b.*\\bHKLM\\\\(SAM|SYSTEM|SECURITY)\\b"
+  match_on: command
+  title: "Registry hive export for credential theft (reg save HKLM\\SAM/SYSTEM)"
+  expires_at: null
+  revoked: false
+
+# LSASS credential dumping
+- id: "CLT-WIN-CRED-008"
+  category: secrets
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "\\b(procdump|procdump64)\\b.*\\blsass\\b|\\brundll32\\b.*\\bcomsvcs(\\.dll)?\\b.*\\bMiniDump\\b"
+  match_on: command
+  title: "LSASS credential dumping (procdump/comsvcs.dll MiniDump)"
+  expires_at: null
+  revoked: false
+
+# WLAN password extraction (ex CLT-TECH-034)
+- id: "CLT-WIN-CRED-009"
+  category: secrets
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "netsh.*wlan.*show.*profiles.*key=clear"
+  case_insensitive: true
+  match_on: command
+  title: "WLAN password extraction via netsh"
+  expires_at: null
+  revoked: false

package/resources/threats/win-files.yaml

@@ -0,0 +1,124 @@
+# Windows sensitive file path threat patterns for Sage
+# Author: Gen Digital Inc.
+# License: DRL-1.1 (see threats/LICENSE)
+# Detects Write/Edit operations targeting Windows security-sensitive files
+
+# SAM/SECURITY/SYSTEM hive
+- id: "CLT-WIN-FILE-001"
+  category: secrets
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "(\\\\|/)Windows(\\\\|/)System32(\\\\|/)config(\\\\|/)(SAM|SECURITY|SYSTEM)"
+  match_on: file_path
+  title: "Write to SAM/SECURITY/SYSTEM registry hive"
+  expires_at: null
+  revoked: false
+
+# NTDS.dit (Active Directory database)
+- id: "CLT-WIN-FILE-002"
+  category: secrets
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "[Nn][Tt][Dd][Ss]\\.[Dd][Ii][Tt]"
+  match_on: file_path
+  title: "Write to NTDS.dit (Active Directory database)"
+  expires_at: null
+  revoked: false
+
+# Windows hosts file
+- id: "CLT-WIN-FILE-003"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "(\\\\|/)Windows(\\\\|/)System32(\\\\|/)drivers(\\\\|/)etc(\\\\|/)hosts"
+  match_on: file_path
+  title: "Write to Windows hosts file"
+  expires_at: null
+  revoked: false
+
+# Startup folder
+- id: "CLT-WIN-FILE-004"
+  category: tool
+  severity: high
+  confidence: 0.90
+  action: require_approval
+  pattern: "(\\\\|/)(Startup|Start Menu(\\\\|/)Programs(\\\\|/)Startup)(\\\\|/)"
+  match_on: file_path
+  title: "Write to Windows Startup folder"
+  expires_at: null
+  revoked: false
+
+# Executable script in System32/SysWOW64
+- id: "CLT-WIN-FILE-005"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(\\\\|/)Windows(\\\\|/)(System32|SysWOW64)(\\\\|/).*\\.(bat|cmd|ps1|vbs|wsf)$"
+  match_on: file_path
+  title: "Write executable script to System32/SysWOW64"
+  expires_at: null
+  revoked: false
+
+# Driver file in System32/drivers
+- id: "CLT-WIN-FILE-006"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(\\\\|/)Windows(\\\\|/)System32(\\\\|/)drivers(\\\\|/).*\\.sys$"
+  match_on: file_path
+  title: "Write driver file to System32/drivers"
+  expires_at: null
+  revoked: false
+
+# Task Scheduler directory
+- id: "CLT-WIN-FILE-007"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "(Windows|WINDOWS)[/\\\\]System32[/\\\\]Tasks[/\\\\]"
+  match_on: file_path
+  title: "Write to Windows Task Scheduler directory"
+  expires_at: null
+  revoked: false
+
+# SSH key or config file (Windows path)
+- id: "CLT-WIN-FILE-008"
+  category: secrets
+  severity: high
+  confidence: 0.90
+  action: require_approval
+  pattern: "\\.ssh[\\\\](id_rsa|id_ed25519|id_ecdsa|id_dsa|config|authorized_keys)$"
+  match_on: file_path
+  title: "Write to SSH key or config file (Windows path)"
+  expires_at: null
+  revoked: false
+
+# AWS credentials file (Windows path)
+- id: "CLT-WIN-FILE-009"
+  category: secrets
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "\\.aws[\\\\]credentials$"
+  match_on: file_path
+  title: "Write to AWS credentials file (Windows path)"
+  expires_at: null
+  revoked: false
+
+# Browser credential stores
+- id: "CLT-WIN-FILE-010"
+  category: secrets
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(Google[/\\\\]Chrome|Mozilla[/\\\\]Firefox|Microsoft[/\\\\]Edge)[/\\\\].*[/\\\\](Login Data|logins\\.json|Cookies)$"
+  match_on: file_path
+  title: "Write to browser credential store"
+  expires_at: null
+  revoked: false

package/resources/threats/win-obfuscation.yaml

@@ -0,0 +1,205 @@
+# Windows obfuscation threat patterns for Sage
+# Author: Gen Digital Inc.
+# License: DRL-1.1 (see threats/LICENSE)
+
+# PowerShell -EncodedCommand
+- id: "CLT-WIN-OBFUS-001"
+  category: tool
+  severity: critical
+  confidence: 0.95
+  action: block
+  pattern: "-[Ee]nc(oded[Cc]ommand)?\\s+[A-Za-z0-9+/=]{20,}"
+  match_on: command
+  title: "PowerShell -EncodedCommand with base64 payload"
+  expires_at: null
+  revoked: false
+
+# certutil -decode
+- id: "CLT-WIN-OBFUS-002"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "[Cc][Ee][Rr][Tt][Uu][Tt][Ii][Ll]\\s.*-decode"
+  match_on: command
+  title: "certutil base64 decode (obfuscation)"
+  expires_at: null
+  revoked: false
+
+# Hidden PowerShell window
+- id: "CLT-WIN-OBFUS-003"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "-[Ww]indow[Ss]tyle\\s+[Hh]idden"
+  match_on: command
+  title: "Hidden PowerShell window"
+  expires_at: null
+  revoked: false
+
+# Bypass + NoProfile combo
+- id: "CLT-WIN-OBFUS-004"
+  category: tool
+  severity: high
+  confidence: 0.90
+  action: block
+  pattern: "-[Ee]xecution[Pp]olicy\\s+[Bb]ypass.*-[Nn]o[Pp]rofile"
+  match_on: command
+  title: "PowerShell -ExecutionPolicy Bypass -NoProfile (malware pattern)"
+  expires_at: null
+  revoked: false
+
+# [char] code obfuscation
+- id: "CLT-WIN-OBFUS-005"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "\\[char\\]\\s*\\d+.*-[Jj]oin"
+  match_on: [command, content]
+  title: "PowerShell [char] code obfuscation with -join"
+  expires_at: null
+  revoked: false
+
+# Security provider DLL injection via registry
+- id: "CLT-WIN-OBFUS-006"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\bSYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\b"
+  match_on: command
+  title: "Security provider DLL injection via registry"
+  expires_at: null
+  revoked: false
+
+# mshta VBScript execution (Execute, CreateObject, close patterns)
+- id: "CLT-WIN-OBFUS-007"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\bmshta\\b.*\\bvbscript:(Execute|CreateObject|close\\s*\\()"
+  case_insensitive: true
+  match_on: command
+  title: "mshta VBScript execution (Execute/CreateObject obfuscation)"
+  expires_at: null
+  revoked: false
+
+# mshta javascript: eval execution
+- id: "CLT-WIN-OBFUS-008"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\bmshta\\b.*\\bjavascript:"
+  case_insensitive: true
+  match_on: command
+  title: "mshta JavaScript execution (LOLBin obfuscation)"
+  expires_at: null
+  revoked: false
+
+# wscript/cscript //E: engine override on non-script files
+- id: "CLT-WIN-OBFUS-009"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "(wscript|cscript)(\\.exe)?\\b.*//[Ee]:([Vv][Bb][Ss]cript|[Jj][Ss]cript)"
+  case_insensitive: true
+  match_on: command
+  title: "wscript/cscript script engine override (//E:VBScript evasion)"
+  expires_at: null
+  revoked: false
+
+# NTFS $INDEX_ALLOCATION folder creation (ex CLT-TECH-001)
+- id: "CLT-WIN-OBFUS-010"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "echo [\\S\\s]+> [a-zA-Z0-9.]+::\\$INDEX_ALLOCATION"
+  case_insensitive: true
+  match_on: command
+  title: "NTFS $INDEX_ALLOCATION folder creation without permissions"
+  expires_at: null
+  revoked: false
+
+# ADS bypass via type redirect or wmic process create (ex CLT-TECH-002)
+- id: "CLT-WIN-OBFUS-011"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(type [a-zA-Z+0-9.\\\\:]+ > [a-zA-Z+0-9.\\\\:]+:[0-9a-zA-Z+.]+|wmic process call create [a-zA-Z+0-9.\\\\:]+:[a-z0-9A-Z.]+)"
+  case_insensitive: true
+  match_on: command
+  title: "Alternate Data Streams bypass"
+  expires_at: null
+  revoked: false
+
+# Dotdotdot hidden folder (ex CLT-TECH-003)
+- id: "CLT-WIN-OBFUS-012"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "(mkdir\\s+\\.{3,}|[a-zA-Z]+\\s+[a-z0-9]+\\s+>\\s+\\.{3,})"
+  case_insensitive: true
+  match_on: command
+  title: "Hidden file/folder via ... directory trick"
+  expires_at: null
+  revoked: false
+
+# cmd caret obfuscation (ex CLT-TECH-014)
+- id: "CLT-WIN-OBFUS-013"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "cmd.*([^\\^]\\^[a-z].*){5}"
+  case_insensitive: true
+  match_on: command
+  title: "cmd caret (^) obfuscation"
+  expires_at: null
+  revoked: false
+
+# cmd substring concatenation obfuscation (ex CLT-TECH-015)
+- id: "CLT-WIN-OBFUS-014"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "cmd.*(%[^%]+:~[^%]*%[a-z]*){2}"
+  case_insensitive: true
+  match_on: command
+  title: "cmd substring concatenation obfuscation"
+  expires_at: null
+  revoked: false
+
+# PowerShell backtick obfuscation (ex CLT-TECH-021)
+- id: "CLT-WIN-OBFUS-015"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "powershell.*(`[a-z].*){4}"
+  case_insensitive: true
+  match_on: command
+  title: "PowerShell backtick obfuscation"
+  expires_at: null
+  revoked: false
+
+# PowerShell XOR decryption (ex CLT-TECH-026)
+- id: "CLT-WIN-OBFUS-016"
+  category: tool
+  severity: high
+  confidence: 0.80
+  action: require_approval
+  pattern: "powershell.+-bxor\\s*['\"]"
+  case_insensitive: true
+  match_on: command
+  title: "PowerShell XOR decryption"
+  expires_at: null
+  revoked: false

package/resources/threats/win-persistence.yaml

@@ -0,0 +1,100 @@
+# Windows persistence mechanism threat patterns for Sage
+# Author: Gen Digital Inc.
+# License: DRL-1.1 (see threats/LICENSE)
+# Covers: Registry Run keys, Services, Task Scheduler, Startup folder
+
+# Registry Run key via reg add
+- id: "CLT-WIN-PERSIST-001"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\b[Rr][Ee][Gg]\\b\\s+[Aa][Dd][Dd].*\\\\(Run|RunOnce)\\\\"
+  match_on: command
+  title: "Registry Run key persistence via reg add"
+  expires_at: null
+  revoked: false
+
+# sc create/config service
+- id: "CLT-WIN-PERSIST-002"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\b[Ss][Cc]\\b\\s+(create|config).*binpath"
+  match_on: command
+  title: "Windows service creation/modification via sc"
+  expires_at: null
+  revoked: false
+
+# schtasks /create
+- id: "CLT-WIN-PERSIST-003"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "\\b[Ss][Cc][Hh][Tt][Aa][Ss][Kk][Ss]\\b.*/[Cc]reate"
+  match_on: command
+  title: "Scheduled task creation via schtasks"
+  expires_at: null
+  revoked: false
+
+# PowerShell New-ScheduledTask
+- id: "CLT-WIN-PERSIST-004"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "[Nn]ew-[Ss]cheduled[Tt]ask"
+  match_on: command
+  title: "PowerShell scheduled task creation"
+  expires_at: null
+  revoked: false
+
+# PowerShell Set-ItemProperty Run key
+- id: "CLT-WIN-PERSIST-005"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "[Ss]et-[Ii]tem[Pp]roperty.*\\\\(Run|RunOnce)\\\\"
+  match_on: command
+  title: "PowerShell Registry Run key persistence"
+  expires_at: null
+  revoked: false
+
+# PowerShell New-Service
+- id: "CLT-WIN-PERSIST-006"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "\\b[Nn]ew-[Ss]ervice\\b"
+  match_on: command
+  title: "PowerShell Windows service creation"
+  expires_at: null
+  revoked: false
+
+# Startup folder path
+- id: "CLT-WIN-PERSIST-007"
+  category: tool
+  severity: high
+  confidence: 0.85
+  action: require_approval
+  pattern: "\\\\(Startup|Start Menu\\\\Programs\\\\Startup)\\\\"
+  match_on: command
+  title: "Startup folder drop (persistence)"
+  expires_at: null
+  revoked: false
+
+# WMI event subscription persistence
+- id: "CLT-WIN-PERSIST-008"
+  category: tool
+  severity: critical
+  confidence: 0.90
+  action: block
+  pattern: "\\b(CommandLineEventConsumer|ActiveScriptEventConsumer)\\b"
+  match_on: command
+  title: "WMI event subscription persistence"
+  expires_at: null
+  revoked: false

package/resources/threats/win-supply-chain.yaml

@@ -0,0 +1,15 @@
+# Windows supply chain threat patterns for Sage
+# Author: Gen Digital Inc.
+# License: DRL-1.1 (see threats/LICENSE)
+
+# Install-Module without -RequiredVersion
+- id: "CLT-WIN-SUPPLY-001"
+  category: supply_chain
+  severity: medium
+  confidence: 0.65
+  action: require_approval
+  pattern: "[Ii]nstall-[Mm]odule\\s+(?!.*-[Rr]equired[Vv]ersion)"
+  match_on: command
+  title: "PowerShell Install-Module without -RequiredVersion"
+  expires_at: null
+  revoked: false