@cyclonedx/cdxgen

# OBOM Runtime Security & Compliance Rules # Category: obom-runtime # Detects host posture, persistence, and runtime indicators from osquery-derived OBOM components - id: OBOM-LNX-001 name: "Linux systemd unit sourced from temporary path" description: "Systemd units loaded from /tmp or /var/tmp can indicate unauthorized persistence." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'systemd_units' and ( $contains($nullSafeProp($, 'fragment_path'), '/tmp/') or $contains($nullSafeProp($, 'fragment_path'), '/var/tmp/') or $contains($nullSafeProp($, 'source_path'), '/tmp/') or $contains($nullSafeProp($, 'source_path'), '/var/tmp/') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Systemd unit '{{ name }}' loads from unit path '{{ $firstNonEmpty($prop($, 'fragment_path'), $prop($, 'source_path'), name) }}' with temporary-backed source '{{ $firstNonEmpty($prop($, 'source_path'), $prop($, 'fragment_path')) }}'" mitigation: "Review the unit file and any generated source/drop-in together, move them to trusted system paths, validate ownership/permissions, and re-enable only approved services." evidence: | { "activeState": $prop($, 'active_state'), "unitFileState": $prop($, 'unit_file_state'), "fragmentPath": $prop($, 'fragment_path'), "sourcePath": $prop($, 'source_path') } - id: OBOM-LNX-002 name: "Linux sudoers broad privilege rule" description: "Sudoers entries allowing unrestricted command execution increase lateral movement and privilege escalation risk." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'sudoers_snapshot' and ( $contains(description, 'NOPASSWD:ALL') or $contains(description, 'ALL=(ALL) ALL') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Sudo policy '{{ name }}' contains broad privilege grant: {{ description }}" mitigation: "Replace broad grants with command-specific allowlists and enforce MFA/approval workflows for privileged operations." evidence: | { "sourceFile": $prop($, 'path'), "ruleDetails": description } - id: OBOM-LNX-003 name: "Root authorized_keys entry without restrictions" description: "Root SSH keys without command/from/no-agent-forwarding restrictions weaken access controls and traceability." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'authorized_keys_snapshot' and name = 'root' and $hasProp($, 'options') and $safeStr($prop($, 'options')) = '' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Root authorized_keys entry in '{{ $prop($, 'key_file') }}' lacks restrictive key options" mitigation: "Apply restrictive key options (from=, command=, no-agent-forwarding, no-port-forwarding) and rotate unmanaged keys." evidence: | { "account": name, "algorithm": version, "keyFile": $prop($, 'key_file'), "options": $prop($, 'options') } - id: OBOM-WIN-001 name: "Windows drive without BitLocker protection" description: "Drives with disabled BitLocker protection can violate endpoint encryption requirements and increase data exposure risk." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'windows_bitlocker_info' and $safeStr($prop($, 'protection_status')) != '1' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "BitLocker protection is not enabled for drive '{{ version }}' (device '{{ name }}')" mitigation: "Enable BitLocker with approved encryption policy and escrow recovery keys in managed KMS/AD." evidence: | { "deviceId": name, "driveLetter": version, "protectionStatus": $prop($, 'protection_status'), "encryptionMethod": $prop($, 'encryption_method'), "percentageEncrypted": $prop($, 'percentage_encrypted') } - id: OBOM-WIN-002 name: "Windows Security Center unhealthy state" description: "Poor Security Center health indicates one or more key endpoint protections are disabled or degraded." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'windows_security_center' and ( name = 'Poor' or version = 'Poor' or description = 'Poor' or $prop($, 'internet_settings') = 'Poor' or $prop($, 'windows_security_center_service') = 'Poor' or $prop($, 'user_account_control') = 'Poor' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Windows Security Center reports degraded protection posture (antivirus={{ name }}, firewall={{ version }}, autoupdate={{ description }})" mitigation: "Restore endpoint protection controls and enforce policy baselines for AV, firewall, updates, and UAC." evidence: | { "antivirus": name, "firewall": version, "autoupdate": description, "internetSettings": $prop($, 'internet_settings'), "securityCenterService": $prop($, 'windows_security_center_service'), "uac": $prop($, 'user_account_control') } - id: OBOM-WIN-003 name: "Windows Run key references temporary/script execution path" description: "Run/RunOnce entries launching from temp or encoded script commands are common persistence techniques." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'windows_run_keys' and ( $contains($lowercase($safeStr(description)), '\\appdata\\local\\temp\\') or $contains($lowercase($safeStr(description)), '\\temp\\') or $contains($lowercase($safeStr(description)), '-enc ') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Run key '{{ name }}' launches potentially suspicious command/path: {{ description }}" mitigation: "Validate publisher and hash of the referenced executable/script, remove unauthorized entries, and investigate parent change events." evidence: | { "registryPath": name, "command": description, "registryKey": $prop($, 'key'), "mtime": version } - id: OBOM-MAC-001 name: "macOS firewall disabled or stealth mode off" description: "ALF misconfiguration can expose endpoints to unsolicited inbound traffic and weakens host hardening baselines." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'alf' and ( $safeStr(version) = '0' or $safeStr($prop($, 'stealth_enabled')) = '0' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "macOS ALF posture is weak (global_state={{ version }}, stealth_enabled={{ $prop($, 'stealth_enabled') }})" mitigation: "Enable ALF and stealth mode via managed profile or MDM baseline." evidence: | { "globalState": version, "stealthEnabled": $prop($, 'stealth_enabled'), "allowSignedEnabled": $prop($, 'allow_signed_enabled'), "loggingEnabled": $prop($, 'logging_enabled') } - id: OBOM-MAC-002 name: "macOS launchd item from user-writable temporary path" description: "Launchd agents/daemons sourced from temporary paths are a strong persistence and execution abuse signal." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'launchd_services' and ( $contains($nullSafeProp($, 'path'), '/tmp/') or $contains($nullSafeProp($, 'path'), '/var/tmp/') or $contains($nullSafeProp($, 'program'), '/tmp/') or $contains($nullSafeProp($, 'program'), '/var/tmp/') ) and ( $safeStr($prop($, 'run_at_load')) = 'true' or $safeStr($prop($, 'run_at_load')) = '1' or $safeStr($prop($, 'keep_alive')) = 'true' or $safeStr($prop($, 'keep_alive')) = '1' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Launchd item '{{ $firstNonEmpty($prop($, 'label'), name) }}' uses plist '{{ $firstNonEmpty($prop($, 'path'), name) }}' and target '{{ $firstNonEmpty($prop($, 'program'), $prop($, 'program_arguments'), name) }}' from a temporary path with persistence enabled" mitigation: "Review the launchd plist and target executable together, remove unauthorized entries, relocate approved binaries to trusted paths, and enforce signed launchd payloads." evidence: | { "label": $prop($, 'label'), "plistPath": $prop($, 'path'), "targetPath": $firstNonEmpty($prop($, 'program'), $prop($, 'program_arguments')), "program": $prop($, 'program'), "programArguments": $prop($, 'program_arguments'), "runAtLoad": $prop($, 'run_at_load'), "keepAlive": $prop($, 'keep_alive') } - id: OBOM-MAC-003 name: "macOS firewall exception for binary in untrusted user path" description: "ALF exceptions for binaries in user Downloads/Desktop/tmp increase risk of untrusted inbound network exposure." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'alf_exceptions' and ( $contains($safeStr(name), '/Users/') and ( $contains($safeStr(name), '/Downloads/') or $contains($safeStr(name), '/Desktop/') or $contains($safeStr(name), '/tmp/') ) ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "ALF exception allows inbound access for risky path '{{ name }}'" mitigation: "Restrict exceptions to signed, managed applications in trusted system paths." evidence: | { "path": name, "state": version } - id: OBOM-LNX-004 name: "Linux shell history contains suspicious download-execute pattern" description: "Shell history with direct download-and-execute commands may indicate malware staging or hands-on-keyboard activity." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'shell_history_snapshot' and ( ($contains($lowercase(description), 'curl ') and $contains($lowercase(description), '| sh')) or ($contains($lowercase(description), 'wget ') and $contains($lowercase(description), '| bash')) or $contains($lowercase(description), 'base64 -d') or $contains($lowercase(description), 'nc -e ') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Suspicious shell history entry for user '{{ name }}': {{ description }}" mitigation: "Correlate with process/network telemetry, validate command intent, and isolate host if command lineage is untrusted." evidence: | { "account": name, "command": description, "historyFile": $prop($, 'history_file'), "timestamp": $prop($, 'time') } - id: OBOM-LNX-005 name: "Docker API exposed over unauthenticated TCP port" description: "Dockerd listening on TCP 2375 enables remote daemon control if not protected by network controls and TLS." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'listening_ports' and $safeStr($prop($, 'port')) = '2375' and ( $safeStr($prop($, 'address')) = '0.0.0.0' or $safeStr($prop($, 'address')) = '::' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Potentially insecure Docker API exposure detected on {{ $prop($, 'address') }}:{{ $prop($, 'port') }} for process '{{ name }}'" mitigation: "Disable insecure TCP listener, enforce TLS/mTLS, and restrict daemon access to trusted local interfaces." evidence: | { "process": name, "pid": $prop($, 'pid'), "address": $prop($, 'address'), "port": $prop($, 'port'), "protocol": $prop($, 'protocol') } - id: OBOM-LNX-006 name: "Privileged Linux listener exposed on a non-local interface" description: "Root or service-account listeners bound to all interfaces expand attack surface and should be reviewed even when they appear to come from managed system paths." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'privileged_listening_ports' and ( $safeStr($prop($, 'address')) = '0.0.0.0' or $safeStr($prop($, 'address')) = '::' ) and $safeStr($prop($, 'port')) != '22' and $safeStr($prop($, 'port')) != '53' and $safeStr(name) != 'systemd-resolved' and $safeStr(name) != 'avahi-daemon' and $safeStr(name) != 'cupsd' and $safeStr($prop($, 'package_source_hint')) != 'user-writable-path' and $safeStr($prop($, 'package_source_hint')) != 'unclassified-path' and $not($contains($lowercase($nullSafeProp($, 'path')), '/tmp/')) and $not($contains($lowercase($nullSafeProp($, 'path')), '/var/tmp/')) and $not($contains($lowercase($nullSafeProp($, 'path')), '/dev/shm/')) and $not($contains($lowercase($nullSafeProp($, 'path')), '/home/')) and $not($contains($lowercase($nullSafeProp($, 'path')), '/run/user/')) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Privileged listener '{{ name }}' from '{{ $firstNonEmpty($prop($, 'path'), name) }}' is reachable on {{ $prop($, 'address') }}:{{ $prop($, 'port') }} and should be validated against approved exposure" mitigation: "Restrict privileged services to local interfaces where possible, front them with authenticated proxies, and validate the listener path and service ownership against approved admin-surface inventory." evidence: | { "account": $prop($, 'account'), "pid": $prop($, 'pid'), "address": $prop($, 'address'), "port": $prop($, 'port'), "path": $prop($, 'path'), "serviceUnit": $prop($, 'service_unit'), "packageSourceHint": $prop($, 'package_source_hint'), "parentCmdline": $prop($, 'parent_cmdline') } - id: OBOM-LNX-007 name: "Administrative Linux surface running with elevated privileges" description: "Cockpit, PackageKit, pkexec, and related admin surfaces running with elevated privileges should be continuously monitored for exposure and drift." severity: high category: obom-runtime dry-run-support: full condition: | components[ ( $prop($, 'cdx:osquery:category') = 'elevated_processes' or $prop($, 'cdx:osquery:category') = 'privileged_listening_ports' or $prop($, 'cdx:osquery:category') = 'sudo_executions' or $prop($, 'cdx:osquery:category') = 'privilege_transitions' ) and ( $contains($lowercase($safeStr(name)), 'cockpit') or $contains($lowercase($nullSafeProp($, 'path')), 'cockpit') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'cockpit') or $contains($lowercase($safeStr(name)), 'packagekit') or $contains($lowercase($nullSafeProp($, 'path')), 'packagekit') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'packagekit') or $contains($lowercase($safeStr(name)), 'pkexec') or $contains($lowercase($nullSafeProp($, 'path')), 'pkexec') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'pkexec') or $contains($lowercase($safeStr(name)), 'pkcon') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'pkcon') ) and ( $safeStr($prop($, 'uid')) = '0' or $safeStr($prop($, 'euid')) = '0' or $safeStr($prop($, 'account')) = 'root' or $safeStr($prop($, 'effective_user')) = 'root' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Administrative surface '{{ name }}' is active with elevated privileges and should be reviewed for exposure" mitigation: "Review network reachability, patch cadence, and whether the administrative package is still needed on this host." evidence: | { "category": $prop($, 'cdx:osquery:category'), "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "account": $prop($, 'account'), "effectiveUser": $prop($, 'effective_user'), "serviceUnit": $prop($, 'service_unit'), "address": $prop($, 'address'), "port": $prop($, 'port'), "packageSourceHint": $prop($, 'package_source_hint') } - id: OBOM-LNX-008 name: "Interactive sudo chain touched sensitive administrative binary" description: "Interactive sudo or pkexec invocations against package-management and admin-control binaries can indicate privileged changes worth auditing." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'sudo_executions' and $safeStr($prop($, 'auid')) != '' and $safeStr($prop($, 'auid')) != '0' and ( $safeStr($prop($, 'euid')) = '0' or $safeStr($prop($, 'effective_user')) = 'root' ) and ( $contains($lowercase($nullSafeProp($, 'path')), 'pkexec') or $contains($lowercase($nullSafeProp($, 'path')), 'pkcon') or $contains($lowercase($nullSafeProp($, 'path')), 'packagekit') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'pkexec') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'pkcon') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'packagekit') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'cockpit') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'systemctl') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'service ') or $contains($lowercase($nullSafeProp($, 'cmdline')), ' apt ') or $contains($lowercase($nullSafeProp($, 'cmdline')), ' apt-get ') or $contains($lowercase($nullSafeProp($, 'cmdline')), ' dnf ') or $contains($lowercase($nullSafeProp($, 'cmdline')), ' yum ') or $contains($lowercase($nullSafeProp($, 'cmdline')), ' zypper ') or $contains($lowercase($nullSafeProp($, 'cmdline')), ' rpm ') or $contains($lowercase($nullSafeProp($, 'cmdline')), ' dpkg ') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Interactive privileged execution by '{{ $prop($, 'login_user') }}' touched sensitive administrative command '{{ $prop($, 'path') }}'" mitigation: "Review whether the command was expected, tie it to change records, and investigate unexpected package-management or control-plane activity." evidence: | { "loginUser": $prop($, 'login_user'), "effectiveUser": $prop($, 'effective_user'), "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "parentCmdline": $prop($, 'parent_cmdline'), "serviceUnit": $prop($, 'service_unit'), "packageSourceHint": $prop($, 'package_source_hint'), "timestamp": $prop($, 'time') } - id: OBOM-LNX-009 name: "Unexpected Linux privilege transition for non-allowlisted executable" description: "Setuid/setgid transitions outside a small baseline of expected tools can indicate risky privilege-bound packages or exploit activity." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'privilege_transitions' and $safeStr($prop($, 'auid')) != '' and $safeStr($prop($, 'auid')) != '0' and ( $safeStr($prop($, 'euid')) = '0' or $safeStr($prop($, 'egid')) = '0' ) and $safeStr($prop($, 'path')) != '/usr/bin/sudo' and $safeStr($prop($, 'path')) != '/bin/su' and $safeStr($prop($, 'path')) != '/usr/bin/su' and $safeStr($prop($, 'path')) != '/usr/bin/doas' and $safeStr($prop($, 'path')) != '/usr/bin/passwd' and $safeStr($prop($, 'path')) != '/usr/bin/chsh' and $safeStr($prop($, 'path')) != '/usr/bin/chfn' and $safeStr($prop($, 'path')) != '/usr/bin/gpasswd' and $safeStr($prop($, 'path')) != '/usr/bin/newgrp' and $safeStr($prop($, 'path')) != '/usr/bin/mount' and $safeStr($prop($, 'path')) != '/usr/bin/umount' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Unexpected privilege transition detected for '{{ $prop($, 'path') }}' (auid={{ $prop($, 'auid') }}, euid={{ $prop($, 'euid') }})" mitigation: "Validate binary provenance, file permissions, and recent package changes; treat unfamiliar setuid/setgid paths as high-priority review items." evidence: | { "loginUser": $prop($, 'login_user'), "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "parentCmdline": $prop($, 'parent_cmdline'), "auid": $prop($, 'auid'), "uid": $prop($, 'uid'), "euid": $prop($, 'euid'), "gid": $prop($, 'gid'), "egid": $prop($, 'egid'), "packageSourceHint": $prop($, 'package_source_hint') } - id: OBOM-LNX-010 name: "Elevated Linux process launched from user-writable or temporary path" description: "Root processes executing from explicit user-controlled, temporary, or per-user runtime paths are a strong signal for persistence or package drift." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'elevated_processes' and $safeStr($prop($, 'uid')) = '0' and ( $contains($nullSafeProp($, 'path'), '/tmp/') or $contains($nullSafeProp($, 'path'), '/var/tmp/') or $contains($nullSafeProp($, 'path'), '/dev/shm/') or $contains($nullSafeProp($, 'path'), '/home/') or $contains($nullSafeProp($, 'path'), '/run/user/') or $contains($nullSafeProp($, 'cmdline'), '/tmp/') or $contains($nullSafeProp($, 'cmdline'), '/var/tmp/') or $contains($nullSafeProp($, 'cmdline'), '/dev/shm/') or $contains($nullSafeProp($, 'cmdline'), '/home/') or $contains($nullSafeProp($, 'cmdline'), '/run/user/') or $safeStr($prop($, 'package_source_hint')) = 'user-writable-path' ) and $safeStr(name) != 'systemd' and $safeStr(name) != 'init' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Elevated process '{{ name }}' executes from a risky path or command: {{ $firstNonEmpty($prop($, 'path'), $prop($, 'cmdline'), name) }}" mitigation: "Validate the executable path and full command line, move approved binaries into trusted system locations, and investigate any root process sourced from writable directories or per-user runtime paths." evidence: | { "account": $prop($, 'account'), "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "serviceUnit": $prop($, 'service_unit'), "parentPath": $prop($, 'parent_path'), "parentCmdline": $prop($, 'parent_cmdline'), "startTime": $prop($, 'start_time'), "packageSourceHint": $prop($, 'package_source_hint') } - id: OBOM-LNX-011 name: "Interactive shell parent spawned privileged Linux execution" description: "Shell-driven privileged chains are useful for separating admin changes from long-running service behavior." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'sudo_executions' and $safeStr($prop($, 'auid')) != '' and $safeStr($prop($, 'auid')) != '0' and ( $safeStr($prop($, 'euid')) = '0' or $safeStr($prop($, 'effective_user')) = 'root' ) and ( $safeStr($prop($, 'parent_name')) = 'bash' or $safeStr($prop($, 'parent_name')) = 'sh' or $safeStr($prop($, 'parent_name')) = 'zsh' or $safeStr($prop($, 'parent_name')) = 'dash' or $safeStr($prop($, 'parent_name')) = 'fish' or $contains($lowercase($nullSafeProp($, 'parent_cmdline')), 'bash') or $contains($lowercase($nullSafeProp($, 'parent_cmdline')), 'zsh') or $contains($lowercase($nullSafeProp($, 'parent_cmdline')), 'fish') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Interactive shell lineage for privileged command '{{ $prop($, 'cmdline') }}' merits change-review validation" mitigation: "Correlate the privileged command with shell history, tickets, and package changes to confirm it was expected." evidence: | { "loginUser": $prop($, 'login_user'), "parentName": $prop($, 'parent_name'), "parentCmdline": $prop($, 'parent_cmdline'), "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "timestamp": $prop($, 'time') } - id: OBOM-LNX-012 name: "Linux Secure Boot inventory contains revoked certificate" description: "Revoked entries in the Secure Boot trust inventory can indicate stale firmware trust policy or unexpected dbx posture drift." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'secureboot_certificates' and $safeStr($prop($, 'revoked')) = '1' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Secure Boot certificate '{{ name }}' is marked revoked in firmware trust inventory" mitigation: "Review db/dbx enrollment, remove stale trust anchors, and reconcile firmware policy with approved platform signing certificates." evidence: | { "subject": $prop($, 'subject'), "issuer": $prop($, 'issuer'), "serial": $prop($, 'serial'), "path": $prop($, 'path'), "notValidAfter": $prop($, 'not_valid_after') } - id: OBOM-LNX-013 name: "Linux Secure Boot certificate expired or expiring soon" description: "Secure Boot trust anchors nearing expiry can cause firmware validation drift and interrupt planned key rotation windows." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'secureboot_certificates' and $safeStr($prop($, 'not_valid_after')) != '' and $number($prop($, 'not_valid_after')) <= ($floor($millis() / 1000) + 2592000) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Secure Boot certificate '{{ name }}' expires at {{ $prop($, 'not_valid_after') }} and should be rotated or reviewed" mitigation: "Rotate or re-enroll Secure Boot certificates before expiry and validate firmware trust stores against your approved signing hierarchy." evidence: | { "subject": $prop($, 'subject'), "issuer": $prop($, 'issuer'), "serial": $prop($, 'serial'), "path": $prop($, 'path'), "notValidBefore": $prop($, 'not_valid_before'), "notValidAfter": $prop($, 'not_valid_after') } - id: OBOM-WIN-004 name: "Hidden scheduled task uses suspicious execution path" description: "Enabled hidden tasks executing from temp paths or encoded script launchers are common persistence tradecraft." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'scheduled_tasks' and $safeStr($prop($, 'enabled')) = '1' and $safeStr($prop($, 'hidden')) = '1' and ( $contains($lowercase($nullSafeProp($, 'path')), '\\temp\\') or ($contains($lowercase($nullSafeProp($, 'action')), 'powershell') and $contains($lowercase($nullSafeProp($, 'action')), '-enc ')) ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Hidden scheduled task '{{ name }}' has suspicious action/path: {{ $prop($, 'action') }}" mitigation: "Validate author and binary lineage, disable unauthorized tasks, and investigate task registration event history." evidence: | { "taskName": name, "taskPath": $prop($, 'path'), "action": $prop($, 'action'), "state": $prop($, 'state') } - id: OBOM-WIN-005 name: "Auto-start Windows service points to user-writable path" description: "Auto-start services from temp or AppData paths may indicate privilege persistence through service hijacking." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'services_snapshot' and $safeStr($prop($, 'start_type')) = 'AUTO_START' and ( $contains($lowercase($nullSafeProp($, 'path')), '\\temp\\') or $contains($lowercase($nullSafeProp($, 'path')), '\\appdata\\') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Auto-start service '{{ name }}' launches from a user-writable path: {{ $prop($, 'path') }}" mitigation: "Move binaries to protected system paths, lock ACLs, and validate service image hashes/signatures." evidence: | { "serviceName": name, "displayName": $prop($, 'display_name'), "servicePath": $prop($, 'path'), "account": $prop($, 'user_account') } - id: OBOM-WIN-006 name: "Windows suspicious persistence surface references LOLBAS execution helper" description: "Any Windows persistence or startup surface that invokes a LOLBAS helper deserves review, including vendor- or platform-managed maintenance registrations, because these surfaces can become breachable execution targets." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:lolbas:matched') = 'true' and ( $prop($, 'cdx:osquery:category') = 'windows_run_keys' or $prop($, 'cdx:osquery:category') = 'scheduled_tasks' or $prop($, 'cdx:osquery:category') = 'startup_items' or $prop($, 'cdx:osquery:category') = 'services_snapshot' ) and ( $listContains($prop($, 'cdx:lolbas:functions'), 'command') or $listContains($prop($, 'cdx:lolbas:functions'), 'script-execution') or $listContains($prop($, 'cdx:lolbas:functions'), 'proxy-execution') or $listContains($prop($, 'cdx:lolbas:functions'), 'library-load') or $listContains($prop($, 'cdx:lolbas:functions'), 'shell') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Windows {{ $prop($, 'cdx:osquery:category') }} registration '{{ $firstNonEmpty($prop($, 'key'), $prop($, 'path'), name) }}' launches '{{ $firstNonEmpty($prop($, 'action'), $prop($, 'executable'), $prop($, 'module_path'), $prop($, 'path'), description, name) }}' via LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }}" mitigation: "Review the registration surface and launched command together, validate the owning change, and do not auto-trust managed or vendor-owned maintenance surfaces without provenance and hardening review." attack: tactics: [TA0003, TA0004, TA0005] techniques: [T1218, T1547] evidence: | { "queryCategory": $prop($, 'cdx:osquery:category'), "registrationPath": $firstNonEmpty($prop($, 'key'), $prop($, 'path'), name), "targetPath": $firstNonEmpty($prop($, 'action'), $prop($, 'executable'), $prop($, 'module_path'), $prop($, 'path'), description), "lolbasNames": $prop($, 'cdx:lolbas:names'), "functions": $prop($, 'cdx:lolbas:functions'), "matchFields": $prop($, 'cdx:lolbas:matchFields'), "path": $prop($, 'path'), "action": $prop($, 'action'), "command": description } - id: OBOM-WIN-007 name: "Windows WMI or AppCompat persistence uses LOLBAS" description: "WMI command consumers and AppCompat shims that invoke LOLBAS utilities are high-signal persistence and defense-evasion indicators." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:lolbas:matched') = 'true' and ( $prop($, 'cdx:osquery:category') = 'appcompat_shims' or $prop($, 'cdx:osquery:category') = 'wmi_cli_event_consumers' or $prop($, 'cdx:osquery:category') = 'wmi_cli_event_consumers_snapshot' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "WMI/AppCompat persistence artifact '{{ name }}' references LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }}" mitigation: "Treat as a persistence investigation, review WMI repository and shim databases, and remove unauthorized subscriptions or shim registrations." attack: tactics: [TA0003, TA0004, TA0005] techniques: [T1218, T1546] evidence: | { "queryCategory": $prop($, 'cdx:osquery:category'), "lolbasNames": $prop($, 'cdx:lolbas:names'), "functions": $prop($, 'cdx:lolbas:functions'), "matchFields": $prop($, 'cdx:lolbas:matchFields'), "path": $prop($, 'path'), "executable": $prop($, 'executable'), "commandLine": $prop($, 'command_line'), "commandTemplate": $prop($, 'command_line_template') } - id: OBOM-WIN-008 name: "Windows startup or process activity uses network-capable LOLBAS" description: "Network-capable LOLBAS helpers such as PowerShell, Certutil, Bitsadmin, or WMIC become higher priority when they appear in persistence surfaces or suspicious live process command lines." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:lolbas:matched') = 'true' and ( $listContains($prop($, 'cdx:lolbas:functions'), 'download') or $listContains($prop($, 'cdx:lolbas:functions'), 'upload') ) and ( $prop($, 'cdx:osquery:category') = 'windows_run_keys' or $prop($, 'cdx:osquery:category') = 'scheduled_tasks' or $prop($, 'cdx:osquery:category') = 'startup_items' or ( $prop($, 'cdx:osquery:category') = 'processes' and ( $contains($lowercase($nullSafeProp($, 'cmdline')), 'http://') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'https://') or $contains($lowercase($nullSafeProp($, 'cmdline')), '-enc ') ) ) ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Network-capable LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }} detected in '{{ $prop($, 'cdx:osquery:category') }}'" mitigation: "Correlate with outbound connections and downloads, restrict unmanaged scripting/network utilities, and investigate encoded or remote-fetch command lines." attack: tactics: [TA0002, TA0010, TA0011] techniques: [T1041, T1059.001, T1105] evidence: | { "queryCategory": $prop($, 'cdx:osquery:category'), "lolbasNames": $prop($, 'cdx:lolbas:names'), "functions": $prop($, 'cdx:lolbas:functions'), "command": description, "cmdline": $prop($, 'cmdline'), "action": $prop($, 'action') } - id: OBOM-WIN-009 name: "Network-facing Windows listener is a LOLBAS execution helper" description: "A listening process backed by a LOLBAS execution helper is a strong remote-control or staging indicator on Windows endpoints." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'listening_ports' and $prop($, 'cdx:lolbas:matched') = 'true' and ( $safeStr($prop($, 'address')) = '0.0.0.0' or $safeStr($prop($, 'address')) = '::' ) and ( $listContains($prop($, 'cdx:lolbas:functions'), 'command') or $listContains($prop($, 'cdx:lolbas:functions'), 'script-execution') or $listContains($prop($, 'cdx:lolbas:functions'), 'shell') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Listening process '{{ name }}' on {{ $prop($, 'address') }}:{{ $prop($, 'port') }} matches LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }}" mitigation: "Review parent process lineage, isolate unmanaged listeners, and block or remove unexpected inbound admin or scripting surfaces." attack: tactics: [TA0002, TA0005, TA0011] techniques: [T1059, T1105, T1218] evidence: | { "lolbasNames": $prop($, 'cdx:lolbas:names'), "functions": $prop($, 'cdx:lolbas:functions'), "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "address": $prop($, 'address'), "port": $prop($, 'port') } - id: OBOM-WIN-010 name: "Windows persistence artifact uses LOLBAS with UAC-bypass context" description: "Persistence surfaces that reference LOLBAS helpers documented with UAC-bypass behavior should be treated as privilege-escalation investigations." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:lolbas:matched') = 'true' and $listContains($prop($, 'cdx:lolbas:contexts'), 'uac-bypass') and ( $prop($, 'cdx:osquery:category') = 'windows_run_keys' or $prop($, 'cdx:osquery:category') = 'scheduled_tasks' or $prop($, 'cdx:osquery:category') = 'startup_items' or $prop($, 'cdx:osquery:category') = 'wmi_cli_event_consumers' or $prop($, 'cdx:osquery:category') = 'wmi_cli_event_consumers_snapshot' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "UAC-bypass-capable LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }} detected in Windows persistence artifact '{{ name }}'" mitigation: "Investigate as a possible privilege-escalation foothold, remove unauthorized registration points, and enforce WDAC/AppLocker policies for known proxy binaries." attack: tactics: [TA0004, TA0005] techniques: [T1548.002, T1218] evidence: | { "queryCategory": $prop($, 'cdx:osquery:category'), "lolbasNames": $prop($, 'cdx:lolbas:names'), "contexts": $prop($, 'cdx:lolbas:contexts'), "path": $prop($, 'path'), "action": $prop($, 'action'), "command": description } - id: OBOM-MAC-004 name: "macOS launchd override disables Apple-managed service" description: "Launchd overrides disabling Apple-managed services can indicate tampering with built-in security or platform controls." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'launchd_overrides' and $safeStr($prop($, 'key')) = 'Disabled' and ( $safeStr($prop($, 'value')) = '1' or $lowercase($safeStr($prop($, 'value'))) = 'true' ) and $startsWith($safeStr($prop($, 'label')), 'com.apple.') ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Launchd override disables Apple-managed label '{{ $prop($, 'label') }}'" mitigation: "Review override provenance, restore approved launchd settings, and investigate unauthorized local configuration changes." evidence: | { "label": $prop($, 'label'), "key": $prop($, 'key'), "value": $prop($, 'value'), "uid": $prop($, 'uid'), "plistPath": $prop($, 'path') } - id: OBOM-MAC-005 name: "macOS Gatekeeper enforcement is disabled or weakened" description: "Gatekeeper should enforce assessments and identified-developer checks on managed macOS endpoints." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'gatekeeper' and ( $safeStr($prop($, 'assessments_enabled')) != '1' or $safeStr($prop($, 'dev_id_enabled')) != '1' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Gatekeeper posture is weakened (assessments_enabled={{ $prop($, 'assessments_enabled') }}, dev_id_enabled={{ $prop($, 'dev_id_enabled') }})" mitigation: "Re-enable Gatekeeper assessments and identified-developer enforcement with spctl or an MDM configuration profile, then validate the host against baseline policy." evidence: | { "gatekeeperVersion": version, "opaqueVersion": description, "assessmentsEnabled": $prop($, 'assessments_enabled'), "devIdEnabled": $prop($, 'dev_id_enabled') } - id: OBOM-LNX-014 name: "Linux reverse shell behavior detected in live process telemetry" description: "A shell process with a live remote socket is a strong signal for hands-on-keyboard abuse, staging, or remote command execution." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'behavioral_reverse_shell' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Reverse-shell-like process behavior detected for '{{ name }}' reaching {{ $prop($, 'remote_address') }}:{{ $prop($, 'remote_port') }}" mitigation: "Isolate the host, review process lineage and parent shell context, and confirm whether the remote session is expected administrative activity." evidence: | { "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "parentCmdline": $prop($, 'parent_cmdline'), "remoteAddress": $prop($, 'remote_address'), "remotePort": $prop($, 'remote_port') } - id: OBOM-LNX-015 name: "Linux process uses LD_PRELOAD from writable or temporary path" description: "LD_PRELOAD pointing at user-controlled paths can indicate library hijacking, stealth persistence, or runtime tampering." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'ld_preload' and ( $contains($lowercase($safeStr($prop($, 'value'))), '/tmp/') or $contains($lowercase($safeStr($prop($, 'value'))), '/var/tmp/') or $contains($lowercase($safeStr($prop($, 'value'))), '/dev/shm/') or $contains($lowercase($safeStr($prop($, 'value'))), '/home/') or $contains($lowercase($safeStr($prop($, 'value'))), '/run/user/') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Process '{{ name }}' sets LD_PRELOAD to a risky path: {{ $prop($, 'value') }}" mitigation: "Review the preload library, remove unauthorized runtime injection, and compare the process with package ownership and startup history." evidence: | { "processPath": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "cwd": $prop($, 'cwd'), "ldPreload": $prop($, 'value') } - id: OBOM-LNX-016 name: "Linux cron entry fetches remote content or runs from writable path" description: "Cron jobs that fetch remote content or execute from temporary and user-writable paths are a high-signal persistence pattern." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'crontab_snapshot' and ( ( ( $contains($lowercase($safeStr($prop($, 'command'))), 'curl ') or $contains($lowercase($safeStr($prop($, 'command'))), 'wget ') ) and ( $contains($lowercase($safeStr($prop($, 'command'))), 'http://') or $contains($lowercase($safeStr($prop($, 'command'))), 'https://') or $contains($lowercase($safeStr($prop($, 'command'))), '| sh') or $contains($lowercase($safeStr($prop($, 'command'))), '| bash') ) ) or $contains($lowercase($safeStr($prop($, 'command'))), '/tmp/') or $contains($lowercase($safeStr($prop($, 'command'))), '/var/tmp/') or $contains($lowercase($safeStr($prop($, 'command'))), '/dev/shm/') or $contains($lowercase($safeStr($prop($, 'command'))), '/home/') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Cron entry '{{ name }}' has a risky command: {{ $prop($, 'command') }}" mitigation: "Move bootstrap downloads into a managed deployment path, review cron ownership, and remove unauthorized recurring tasks." evidence: | { "command": $prop($, 'command'), "path": $prop($, 'path'), "minute": $prop($, 'minute'), "hour": $prop($, 'hour') } - id: OBOM-LNX-017 name: "Linux sysctl posture diverges from common hardening baseline" description: "Weak ASLR and redirect-handling sysctl values are commonly called out in Lynis and CIS-style hardening reviews." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'sysctl_hardening' and ( (name = 'kernel.randomize_va_space' and $safeStr(version) != '2') or (name = 'kernel.kptr_restrict' and $safeStr(version) = '0') or ( ( name = 'net.ipv4.conf.all.accept_redirects' or name = 'net.ipv4.conf.default.accept_redirects' or name = 'net.ipv4.conf.all.send_redirects' or name = 'net.ipv4.conf.default.send_redirects' ) and $safeStr(version) = '1' ) ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Sysctl '{{ name }}' has a weak hardening value: {{ version }}" mitigation: "Align the sysctl value with your baseline, apply the setting persistently, and validate whether the deviation is truly required for this host." evidence: | { "sysctl": name, "value": version } - id: OBOM-LNX-018 name: "Linux temporary mount is missing key hardening flags" description: "Temporary and shared-memory mounts should usually carry noexec, nosuid, and nodev protections on hardened hosts." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'mount_hardening' and ( name = '/tmp' or name = '/var/tmp' or name = '/dev/shm' ) and ( $not($contains($lowercase($safeStr(version)), 'noexec')) or $not($contains($lowercase($safeStr(version)), 'nosuid')) or $not($contains($lowercase($safeStr(version)), 'nodev')) ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Mount '{{ name }}' is missing one or more hardening flags: {{ version }}" mitigation: "Review whether the mount should carry noexec, nosuid, and nodev, then enforce the chosen baseline through fstab, systemd mounts, or image build policy." evidence: | { "mount": name, "flags": version, "device": description, "type": $prop($, 'type') } - id: OBOM-LNX-019 name: "Live Linux runtime artifact matches GTFOBins execution helper" description: "GTFOBins-capable binaries in privileged or network-active runtime contexts deserve elevated review because they compress execution, persistence, and lateral movement tradecraft into familiar tools." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:gtfobins:matched') = 'true' and ( $prop($, 'cdx:osquery:category') = 'sudo_executions' or $prop($, 'cdx:osquery:category') = 'privilege_transitions' or $prop($, 'cdx:osquery:category') = 'privileged_listening_ports' or $prop($, 'cdx:osquery:category') = 'behavioral_reverse_shell' or ( $prop($, 'cdx:osquery:category') = 'elevated_processes' and ( $safeStr($prop($, 'package_source_hint')) = 'user-writable-path' or $contains($nullSafeProp($, 'path'), '/tmp/') or $contains($nullSafeProp($, 'path'), '/var/tmp/') or $contains($nullSafeProp($, 'path'), '/dev/shm/') or $contains($nullSafeProp($, 'path'), '/home/') or $contains($nullSafeProp($, 'path'), '/run/user/') or $contains($nullSafeProp($, 'cmdline'), '/tmp/') or $contains($nullSafeProp($, 'cmdline'), '/var/tmp/') or $contains($nullSafeProp($, 'cmdline'), '/dev/shm/') or $contains($nullSafeProp($, 'cmdline'), '/home/') or $contains($nullSafeProp($, 'cmdline'), '/run/user/') ) ) ) and ( $listContains($prop($, 'cdx:gtfobins:functions'), 'shell') or $listContains($prop($, 'cdx:gtfobins:functions'), 'command') or $listContains($prop($, 'cdx:gtfobins:functions'), 'reverse-shell') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Runtime artifact '{{ name }}' matches GTFOBins helper(s) {{ $prop($, 'cdx:gtfobins:names') }} in '{{ $prop($, 'cdx:osquery:category') }}'" mitigation: "Validate the binary provenance and operator intent, then review related sudo, privilege-transition, listener, and remote-connection telemetry before suppressing the finding." evidence: | { "queryCategory": $prop($, 'cdx:osquery:category'), "gtfobinsNames": $prop($, 'cdx:gtfobins:names'), "functions": $prop($, 'cdx:gtfobins:functions'), "contexts": $prop($, 'cdx:gtfobins:contexts'), "riskTags": $prop($, 'cdx:gtfobins:riskTags'), "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline') } - id: OBOM-WIN-011 name: "Windows Public profile inbound firewall allow rule" description: "Inbound allow rules on the Public firewall profile can expose services beyon