# OBOM Runtime Security & Compliance Rules # Category: obom-runtime # Detects host posture, persistence, and runtime indicators from osquery-derived OBOM components - id: OBOM-LNX-001 name: "Linux systemd unit sourced from temporary path" description: "Systemd units loaded from /tmp or /var/tmp can indicate unauthorized persistence." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'systemd_units' and ( $contains($nullSafeProp($, 'fragment_path'), '/tmp/') or $contains($nullSafeProp($, 'fragment_path'), '/var/tmp/') or $contains($nullSafeProp($, 'source_path'), '/tmp/') or $contains($nullSafeProp($, 'source_path'), '/var/tmp/') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Systemd unit '{{ name }}' loads from unit path '{{ $firstNonEmpty($prop($, 'fragment_path'), $prop($, 'source_path'), name) }}' with temporary-backed source '{{ $firstNonEmpty($prop($, 'source_path'), $prop($, 'fragment_path')) }}'" mitigation: "Review the unit file and any generated source/drop-in together, move them to trusted system paths, validate ownership/permissions, and re-enable only approved services." evidence: | { "activeState": $prop($, 'active_state'), "unitFileState": $prop($, 'unit_file_state'), "fragmentPath": $prop($, 'fragment_path'), "sourcePath": $prop($, 'source_path') } - id: OBOM-LNX-002 name: "Linux sudoers broad privilege rule" description: "Sudoers entries allowing unrestricted command execution increase lateral movement and privilege escalation risk." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'sudoers_snapshot' and ( $contains(description, 'NOPASSWD:ALL') or $contains(description, 'ALL=(ALL) ALL') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Sudo policy '{{ name }}' contains broad privilege grant: {{ description }}" mitigation: "Replace broad grants with command-specific allowlists and enforce MFA/approval workflows for privileged operations." evidence: | { "sourceFile": $prop($, 'path'), "ruleDetails": description } - id: OBOM-LNX-003 name: "Root authorized_keys entry without restrictions" description: "Root SSH keys without command/from/no-agent-forwarding restrictions weaken access controls and traceability." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'authorized_keys_snapshot' and name = 'root' and $hasProp($, 'options') and $safeStr($prop($, 'options')) = '' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Root authorized_keys entry in '{{ $prop($, 'key_file') }}' lacks restrictive key options" mitigation: "Apply restrictive key options (from=, command=, no-agent-forwarding, no-port-forwarding) and rotate unmanaged keys." evidence: | { "account": name, "algorithm": version, "keyFile": $prop($, 'key_file'), "options": $prop($, 'options') } - id: OBOM-WIN-001 name: "Windows drive without BitLocker protection" description: "Drives with disabled BitLocker protection can violate endpoint encryption requirements and increase data exposure risk." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'windows_bitlocker_info' and $safeStr($prop($, 'protection_status')) != '1' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "BitLocker protection is not enabled for drive '{{ version }}' (device '{{ name }}')" mitigation: "Enable BitLocker with approved encryption policy and escrow recovery keys in managed KMS/AD." evidence: | { "deviceId": name, "driveLetter": version, "protectionStatus": $prop($, 'protection_status'), "encryptionMethod": $prop($, 'encryption_method'), "percentageEncrypted": $prop($, 'percentage_encrypted') } - id: OBOM-WIN-002 name: "Windows Security Center unhealthy state" description: "Poor Security Center health indicates one or more key endpoint protections are disabled or degraded." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'windows_security_center' and ( name = 'Poor' or version = 'Poor' or description = 'Poor' or $prop($, 'internet_settings') = 'Poor' or $prop($, 'windows_security_center_service') = 'Poor' or $prop($, 'user_account_control') = 'Poor' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Windows Security Center reports degraded protection posture (antivirus={{ name }}, firewall={{ version }}, autoupdate={{ description }})" mitigation: "Restore endpoint protection controls and enforce policy baselines for AV, firewall, updates, and UAC." evidence: | { "antivirus": name, "firewall": version, "autoupdate": description, "internetSettings": $prop($, 'internet_settings'), "securityCenterService": $prop($, 'windows_security_center_service'), "uac": $prop($, 'user_account_control') } - id: OBOM-WIN-003 name: "Windows Run key references temporary/script execution path" description: "Run/RunOnce entries launching from temp or encoded script commands are common persistence techniques." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'windows_run_keys' and ( $contains($lowercase($safeStr(description)), '\\appdata\\local\\temp\\') or $contains($lowercase($safeStr(description)), '\\temp\\') or $contains($lowercase($safeStr(description)), '-enc ') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Run key '{{ name }}' launches potentially suspicious command/path: {{ description }}" mitigation: "Validate publisher and hash of the referenced executable/script, remove unauthorized entries, and investigate parent change events." evidence: | { "registryPath": name, "command": description, "registryKey": $prop($, 'key'), "mtime": version } - id: OBOM-MAC-001 name: "macOS firewall disabled or stealth mode off" description: "ALF misconfiguration can expose endpoints to unsolicited inbound traffic and weakens host hardening baselines." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'alf' and ( $safeStr(version) = '0' or $safeStr($prop($, 'stealth_enabled')) = '0' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "macOS ALF posture is weak (global_state={{ version }}, stealth_enabled={{ $prop($, 'stealth_enabled') }})" mitigation: "Enable ALF and stealth mode via managed profile or MDM baseline." evidence: | { "globalState": version, "stealthEnabled": $prop($, 'stealth_enabled'), "allowSignedEnabled": $prop($, 'allow_signed_enabled'), "loggingEnabled": $prop($, 'logging_enabled') } - id: OBOM-MAC-002 name: "macOS launchd item from user-writable temporary path" description: "Launchd agents/daemons sourced from temporary paths are a strong persistence and execution abuse signal." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'launchd_services' and ( $contains($nullSafeProp($, 'path'), '/tmp/') or $contains($nullSafeProp($, 'path'), '/var/tmp/') or $contains($nullSafeProp($, 'program'), '/tmp/') or $contains($nullSafeProp($, 'program'), '/var/tmp/') ) and ( $safeStr($prop($, 'run_at_load')) = 'true' or $safeStr($prop($, 'run_at_load')) = '1' or $safeStr($prop($, 'keep_alive')) = 'true' or $safeStr($prop($, 'keep_alive')) = '1' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Launchd item '{{ $firstNonEmpty($prop($, 'label'), name) }}' uses plist '{{ $firstNonEmpty($prop($, 'path'), name) }}' and target '{{ $firstNonEmpty($prop($, 'program'), $prop($, 'program_arguments'), name) }}' from a temporary path with persistence enabled" mitigation: "Review the launchd plist and target executable together, remove unauthorized entries, relocate approved binaries to trusted paths, and enforce signed launchd payloads." evidence: | { "label": $prop($, 'label'), "plistPath": $prop($, 'path'), "targetPath": $firstNonEmpty($prop($, 'program'), $prop($, 'program_arguments')), "program": $prop($, 'program'), "programArguments": $prop($, 'program_arguments'), "runAtLoad": $prop($, 'run_at_load'), "keepAlive": $prop($, 'keep_alive') } - id: OBOM-MAC-003 name: "macOS firewall exception for binary in untrusted user path" description: "ALF exceptions for binaries in user Downloads/Desktop/tmp increase risk of untrusted inbound network exposure." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'alf_exceptions' and ( $contains($safeStr(name), '/Users/') and ( $contains($safeStr(name), '/Downloads/') or $contains($safeStr(name), '/Desktop/') or $contains($safeStr(name), '/tmp/') ) ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "ALF exception allows inbound access for risky path '{{ name }}'" mitigation: "Restrict exceptions to signed, managed applications in trusted system paths." evidence: | { "path": name, "state": version } - id: OBOM-LNX-004 name: "Linux shell history contains suspicious download-execute pattern" description: "Shell history with direct download-and-execute commands may indicate malware staging or hands-on-keyboard activity." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'shell_history_snapshot' and ( ($contains($lowercase(description), 'curl ') and $contains($lowercase(description), '| sh')) or ($contains($lowercase(description), 'wget ') and $contains($lowercase(description), '| bash')) or $contains($lowercase(description), 'base64 -d') or $contains($lowercase(description), 'nc -e ') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Suspicious shell history entry for user '{{ name }}': {{ description }}" mitigation: "Correlate with process/network telemetry, validate command intent, and isolate host if command lineage is untrusted." evidence: | { "account": name, "command": description, "historyFile": $prop($, 'history_file'), "timestamp": $prop($, 'time') } - id: OBOM-LNX-005 name: "Docker API exposed over unauthenticated TCP port" description: "Dockerd listening on TCP 2375 enables remote daemon control if not protected by network controls and TLS." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'listening_ports' and $safeStr($prop($, 'port')) = '2375' and ( $safeStr($prop($, 'address')) = '0.0.0.0' or $safeStr($prop($, 'address')) = '::' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Potentially insecure Docker API exposure detected on {{ $prop($, 'address') }}:{{ $prop($, 'port') }} for process '{{ name }}'" mitigation: "Disable insecure TCP listener, enforce TLS/mTLS, and restrict daemon access to trusted local interfaces." evidence: | { "process": name, "pid": $prop($, 'pid'), "address": $prop($, 'address'), "port": $prop($, 'port'), "protocol": $prop($, 'protocol') } - id: OBOM-LNX-006 name: "Privileged Linux listener exposed on a non-local interface" description: "Root or service-account listeners bound to all interfaces expand attack surface and should be reviewed even when they appear to come from managed system paths." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'privileged_listening_ports' and ( $safeStr($prop($, 'address')) = '0.0.0.0' or $safeStr($prop($, 'address')) = '::' ) and $safeStr($prop($, 'port')) != '22' and $safeStr($prop($, 'port')) != '53' and $safeStr(name) != 'systemd-resolved' and $safeStr(name) != 'avahi-daemon' and $safeStr(name) != 'cupsd' and $safeStr($prop($, 'package_source_hint')) != 'user-writable-path' and $safeStr($prop($, 'package_source_hint')) != 'unclassified-path' and $not($contains($lowercase($nullSafeProp($, 'path')), '/tmp/')) and $not($contains($lowercase($nullSafeProp($, 'path')), '/var/tmp/')) and $not($contains($lowercase($nullSafeProp($, 'path')), '/dev/shm/')) and $not($contains($lowercase($nullSafeProp($, 'path')), '/home/')) and $not($contains($lowercase($nullSafeProp($, 'path')), '/run/user/')) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Privileged listener '{{ name }}' from '{{ $firstNonEmpty($prop($, 'path'), name) }}' is reachable on {{ $prop($, 'address') }}:{{ $prop($, 'port') }} and should be validated against approved exposure" mitigation: "Restrict privileged services to local interfaces where possible, front them with authenticated proxies, and validate the listener path and service ownership against approved admin-surface inventory." evidence: | { "account": $prop($, 'account'), "pid": $prop($, 'pid'), "address": $prop($, 'address'), "port": $prop($, 'port'), "path": $prop($, 'path'), "serviceUnit": $prop($, 'service_unit'), "packageSourceHint": $prop($, 'package_source_hint'), "parentCmdline": $prop($, 'parent_cmdline') } - id: OBOM-LNX-007 name: "Administrative Linux surface running with elevated privileges" description: "Cockpit, PackageKit, pkexec, and related admin surfaces running with elevated privileges should be continuously monitored for exposure and drift." severity: high category: obom-runtime dry-run-support: full condition: | components[ ( $prop($, 'cdx:osquery:category') = 'elevated_processes' or $prop($, 'cdx:osquery:category') = 'privileged_listening_ports' or $prop($, 'cdx:osquery:category') = 'sudo_executions' or $prop($, 'cdx:osquery:category') = 'privilege_transitions' ) and ( $contains($lowercase($safeStr(name)), 'cockpit') or $contains($lowercase($nullSafeProp($, 'path')), 'cockpit') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'cockpit') or $contains($lowercase($safeStr(name)), 'packagekit') or $contains($lowercase($nullSafeProp($, 'path')), 'packagekit') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'packagekit') or $contains($lowercase($safeStr(name)), 'pkexec') or $contains($lowercase($nullSafeProp($, 'path')), 'pkexec') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'pkexec') or $contains($lowercase($safeStr(name)), 'pkcon') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'pkcon') ) and ( $safeStr($prop($, 'uid')) = '0' or $safeStr($prop($, 'euid')) = '0' or $safeStr($prop($, 'account')) = 'root' or $safeStr($prop($, 'effective_user')) = 'root' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Administrative surface '{{ name }}' is active with elevated privileges and should be reviewed for exposure" mitigation: "Review network reachability, patch cadence, and whether the administrative package is still needed on this host." evidence: | { "category": $prop($, 'cdx:osquery:category'), "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "account": $prop($, 'account'), "effectiveUser": $prop($, 'effective_user'), "serviceUnit": $prop($, 'service_unit'), "address": $prop($, 'address'), "port": $prop($, 'port'), "packageSourceHint": $prop($, 'package_source_hint') } - id: OBOM-LNX-008 name: "Interactive sudo chain touched sensitive administrative binary" description: "Interactive sudo or pkexec invocations against package-management and admin-control binaries can indicate privileged changes worth auditing." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'sudo_executions' and $safeStr($prop($, 'auid')) != '' and $safeStr($prop($, 'auid')) != '0' and ( $safeStr($prop($, 'euid')) = '0' or $safeStr($prop($, 'effective_user')) = 'root' ) and ( $contains($lowercase($nullSafeProp($, 'path')), 'pkexec') or $contains($lowercase($nullSafeProp($, 'path')), 'pkcon') or $contains($lowercase($nullSafeProp($, 'path')), 'packagekit') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'pkexec') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'pkcon') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'packagekit') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'cockpit') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'systemctl') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'service ') or $contains($lowercase($nullSafeProp($, 'cmdline')), ' apt ') or $contains($lowercase($nullSafeProp($, 'cmdline')), ' apt-get ') or $contains($lowercase($nullSafeProp($, 'cmdline')), ' dnf ') or $contains($lowercase($nullSafeProp($, 'cmdline')), ' yum ') or $contains($lowercase($nullSafeProp($, 'cmdline')), ' zypper ') or $contains($lowercase($nullSafeProp($, 'cmdline')), ' rpm ') or $contains($lowercase($nullSafeProp($, 'cmdline')), ' dpkg ') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Interactive privileged execution by '{{ $prop($, 'login_user') }}' touched sensitive administrative command '{{ $prop($, 'path') }}'" mitigation: "Review whether the command was expected, tie it to change records, and investigate unexpected package-management or control-plane activity." evidence: | { "loginUser": $prop($, 'login_user'), "effectiveUser": $prop($, 'effective_user'), "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "parentCmdline": $prop($, 'parent_cmdline'), "serviceUnit": $prop($, 'service_unit'), "packageSourceHint": $prop($, 'package_source_hint'), "timestamp": $prop($, 'time') } - id: OBOM-LNX-009 name: "Unexpected Linux privilege transition for non-allowlisted executable" description: "Setuid/setgid transitions outside a small baseline of expected tools can indicate risky privilege-bound packages or exploit activity." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'privilege_transitions' and $safeStr($prop($, 'auid')) != '' and $safeStr($prop($, 'auid')) != '0' and ( $safeStr($prop($, 'euid')) = '0' or $safeStr($prop($, 'egid')) = '0' ) and $safeStr($prop($, 'path')) != '/usr/bin/sudo' and $safeStr($prop($, 'path')) != '/bin/su' and $safeStr($prop($, 'path')) != '/usr/bin/su' and $safeStr($prop($, 'path')) != '/usr/bin/doas' and $safeStr($prop($, 'path')) != '/usr/bin/passwd' and $safeStr($prop($, 'path')) != '/usr/bin/chsh' and $safeStr($prop($, 'path')) != '/usr/bin/chfn' and $safeStr($prop($, 'path')) != '/usr/bin/gpasswd' and $safeStr($prop($, 'path')) != '/usr/bin/newgrp' and $safeStr($prop($, 'path')) != '/usr/bin/mount' and $safeStr($prop($, 'path')) != '/usr/bin/umount' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Unexpected privilege transition detected for '{{ $prop($, 'path') }}' (auid={{ $prop($, 'auid') }}, euid={{ $prop($, 'euid') }})" mitigation: "Validate binary provenance, file permissions, and recent package changes; treat unfamiliar setuid/setgid paths as high-priority review items." evidence: | { "loginUser": $prop($, 'login_user'), "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "parentCmdline": $prop($, 'parent_cmdline'), "auid": $prop($, 'auid'), "uid": $prop($, 'uid'), "euid": $prop($, 'euid'), "gid": $prop($, 'gid'), "egid": $prop($, 'egid'), "packageSourceHint": $prop($, 'package_source_hint') } - id: OBOM-LNX-010 name: "Elevated Linux process launched from user-writable or temporary path" description: "Root processes executing from explicit user-controlled, temporary, or per-user runtime paths are a strong signal for persistence or package drift." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'elevated_processes' and $safeStr($prop($, 'uid')) = '0' and ( $contains($nullSafeProp($, 'path'), '/tmp/') or $contains($nullSafeProp($, 'path'), '/var/tmp/') or $contains($nullSafeProp($, 'path'), '/dev/shm/') or $contains($nullSafeProp($, 'path'), '/home/') or $contains($nullSafeProp($, 'path'), '/run/user/') or $contains($nullSafeProp($, 'cmdline'), '/tmp/') or $contains($nullSafeProp($, 'cmdline'), '/var/tmp/') or $contains($nullSafeProp($, 'cmdline'), '/dev/shm/') or $contains($nullSafeProp($, 'cmdline'), '/home/') or $contains($nullSafeProp($, 'cmdline'), '/run/user/') or $safeStr($prop($, 'package_source_hint')) = 'user-writable-path' ) and $safeStr(name) != 'systemd' and $safeStr(name) != 'init' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Elevated process '{{ name }}' executes from a risky path or command: {{ $firstNonEmpty($prop($, 'path'), $prop($, 'cmdline'), name) }}" mitigation: "Validate the executable path and full command line, move approved binaries into trusted system locations, and investigate any root process sourced from writable directories or per-user runtime paths." evidence: | { "account": $prop($, 'account'), "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "serviceUnit": $prop($, 'service_unit'), "parentPath": $prop($, 'parent_path'), "parentCmdline": $prop($, 'parent_cmdline'), "startTime": $prop($, 'start_time'), "packageSourceHint": $prop($, 'package_source_hint') } - id: OBOM-LNX-011 name: "Interactive shell parent spawned privileged Linux execution" description: "Shell-driven privileged chains are useful for separating admin changes from long-running service behavior." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'sudo_executions' and $safeStr($prop($, 'auid')) != '' and $safeStr($prop($, 'auid')) != '0' and ( $safeStr($prop($, 'euid')) = '0' or $safeStr($prop($, 'effective_user')) = 'root' ) and ( $safeStr($prop($, 'parent_name')) = 'bash' or $safeStr($prop($, 'parent_name')) = 'sh' or $safeStr($prop($, 'parent_name')) = 'zsh' or $safeStr($prop($, 'parent_name')) = 'dash' or $safeStr($prop($, 'parent_name')) = 'fish' or $contains($lowercase($nullSafeProp($, 'parent_cmdline')), 'bash') or $contains($lowercase($nullSafeProp($, 'parent_cmdline')), 'zsh') or $contains($lowercase($nullSafeProp($, 'parent_cmdline')), 'fish') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Interactive shell lineage for privileged command '{{ $prop($, 'cmdline') }}' merits change-review validation" mitigation: "Correlate the privileged command with shell history, tickets, and package changes to confirm it was expected." evidence: | { "loginUser": $prop($, 'login_user'), "parentName": $prop($, 'parent_name'), "parentCmdline": $prop($, 'parent_cmdline'), "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "timestamp": $prop($, 'time') } - id: OBOM-LNX-012 name: "Linux Secure Boot inventory contains revoked certificate" description: "Revoked entries in the Secure Boot trust inventory can indicate stale firmware trust policy or unexpected dbx posture drift." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'secureboot_certificates' and $safeStr($prop($, 'revoked')) = '1' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Secure Boot certificate '{{ name }}' is marked revoked in firmware trust inventory" mitigation: "Review db/dbx enrollment, remove stale trust anchors, and reconcile firmware policy with approved platform signing certificates." evidence: | { "subject": $prop($, 'subject'), "issuer": $prop($, 'issuer'), "serial": $prop($, 'serial'), "path": $prop($, 'path'), "notValidAfter": $prop($, 'not_valid_after') } - id: OBOM-LNX-013 name: "Linux Secure Boot certificate expired or expiring soon" description: "Secure Boot trust anchors nearing expiry can cause firmware validation drift and interrupt planned key rotation windows." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'secureboot_certificates' and $safeStr($prop($, 'not_valid_after')) != '' and $number($prop($, 'not_valid_after')) <= ($floor($millis() / 1000) + 2592000) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Secure Boot certificate '{{ name }}' expires at {{ $prop($, 'not_valid_after') }} and should be rotated or reviewed" mitigation: "Rotate or re-enroll Secure Boot certificates before expiry and validate firmware trust stores against your approved signing hierarchy." evidence: | { "subject": $prop($, 'subject'), "issuer": $prop($, 'issuer'), "serial": $prop($, 'serial'), "path": $prop($, 'path'), "notValidBefore": $prop($, 'not_valid_before'), "notValidAfter": $prop($, 'not_valid_after') } - id: OBOM-WIN-004 name: "Hidden scheduled task uses suspicious execution path" description: "Enabled hidden tasks executing from temp paths or encoded script launchers are common persistence tradecraft." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'scheduled_tasks' and $safeStr($prop($, 'enabled')) = '1' and $safeStr($prop($, 'hidden')) = '1' and ( $contains($lowercase($nullSafeProp($, 'path')), '\\temp\\') or ($contains($lowercase($nullSafeProp($, 'action')), 'powershell') and $contains($lowercase($nullSafeProp($, 'action')), '-enc ')) ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Hidden scheduled task '{{ name }}' has suspicious action/path: {{ $prop($, 'action') }}" mitigation: "Validate author and binary lineage, disable unauthorized tasks, and investigate task registration event history." evidence: | { "taskName": name, "taskPath": $prop($, 'path'), "action": $prop($, 'action'), "state": $prop($, 'state') } - id: OBOM-WIN-005 name: "Auto-start Windows service points to user-writable path" description: "Auto-start services from temp or AppData paths may indicate privilege persistence through service hijacking." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'services_snapshot' and $safeStr($prop($, 'start_type')) = 'AUTO_START' and ( $contains($lowercase($nullSafeProp($, 'path')), '\\temp\\') or $contains($lowercase($nullSafeProp($, 'path')), '\\appdata\\') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Auto-start service '{{ name }}' launches from a user-writable path: {{ $prop($, 'path') }}" mitigation: "Move binaries to protected system paths, lock ACLs, and validate service image hashes/signatures." evidence: | { "serviceName": name, "displayName": $prop($, 'display_name'), "servicePath": $prop($, 'path'), "account": $prop($, 'user_account') } - id: OBOM-WIN-006 name: "Windows suspicious persistence surface references LOLBAS execution helper" description: "Any Windows persistence or startup surface that invokes a LOLBAS helper deserves review, including vendor- or platform-managed maintenance registrations, because these surfaces can become breachable execution targets." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:lolbas:matched') = 'true' and ( $prop($, 'cdx:osquery:category') = 'windows_run_keys' or $prop($, 'cdx:osquery:category') = 'scheduled_tasks' or $prop($, 'cdx:osquery:category') = 'startup_items' or $prop($, 'cdx:osquery:category') = 'services_snapshot' ) and ( $listContains($prop($, 'cdx:lolbas:functions'), 'command') or $listContains($prop($, 'cdx:lolbas:functions'), 'script-execution') or $listContains($prop($, 'cdx:lolbas:functions'), 'proxy-execution') or $listContains($prop($, 'cdx:lolbas:functions'), 'library-load') or $listContains($prop($, 'cdx:lolbas:functions'), 'shell') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Windows {{ $prop($, 'cdx:osquery:category') }} registration '{{ $firstNonEmpty($prop($, 'key'), $prop($, 'path'), name) }}' launches '{{ $firstNonEmpty($prop($, 'action'), $prop($, 'executable'), $prop($, 'module_path'), $prop($, 'path'), description, name) }}' via LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }}" mitigation: "Review the registration surface and launched command together, validate the owning change, and do not auto-trust managed or vendor-owned maintenance surfaces without provenance and hardening review." attack: tactics: [TA0003, TA0004, TA0005] techniques: [T1218, T1547] evidence: | { "queryCategory": $prop($, 'cdx:osquery:category'), "registrationPath": $firstNonEmpty($prop($, 'key'), $prop($, 'path'), name), "targetPath": $firstNonEmpty($prop($, 'action'), $prop($, 'executable'), $prop($, 'module_path'), $prop($, 'path'), description), "lolbasNames": $prop($, 'cdx:lolbas:names'), "functions": $prop($, 'cdx:lolbas:functions'), "matchFields": $prop($, 'cdx:lolbas:matchFields'), "path": $prop($, 'path'), "action": $prop($, 'action'), "command": description } - id: OBOM-WIN-007 name: "Windows WMI or AppCompat persistence uses LOLBAS" description: "WMI command consumers and AppCompat shims that invoke LOLBAS utilities are high-signal persistence and defense-evasion indicators." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:lolbas:matched') = 'true' and ( $prop($, 'cdx:osquery:category') = 'appcompat_shims' or $prop($, 'cdx:osquery:category') = 'wmi_cli_event_consumers' or $prop($, 'cdx:osquery:category') = 'wmi_cli_event_consumers_snapshot' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "WMI/AppCompat persistence artifact '{{ name }}' references LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }}" mitigation: "Treat as a persistence investigation, review WMI repository and shim databases, and remove unauthorized subscriptions or shim registrations." attack: tactics: [TA0003, TA0004, TA0005] techniques: [T1218, T1546] evidence: | { "queryCategory": $prop($, 'cdx:osquery:category'), "lolbasNames": $prop($, 'cdx:lolbas:names'), "functions": $prop($, 'cdx:lolbas:functions'), "matchFields": $prop($, 'cdx:lolbas:matchFields'), "path": $prop($, 'path'), "executable": $prop($, 'executable'), "commandLine": $prop($, 'command_line'), "commandTemplate": $prop($, 'command_line_template') } - id: OBOM-WIN-008 name: "Windows startup or process activity uses network-capable LOLBAS" description: "Network-capable LOLBAS helpers such as PowerShell, Certutil, Bitsadmin, or WMIC become higher priority when they appear in persistence surfaces or suspicious live process command lines." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:lolbas:matched') = 'true' and ( $listContains($prop($, 'cdx:lolbas:functions'), 'download') or $listContains($prop($, 'cdx:lolbas:functions'), 'upload') ) and ( $prop($, 'cdx:osquery:category') = 'windows_run_keys' or $prop($, 'cdx:osquery:category') = 'scheduled_tasks' or $prop($, 'cdx:osquery:category') = 'startup_items' or ( $prop($, 'cdx:osquery:category') = 'processes' and ( $contains($lowercase($nullSafeProp($, 'cmdline')), 'http://') or $contains($lowercase($nullSafeProp($, 'cmdline')), 'https://') or $contains($lowercase($nullSafeProp($, 'cmdline')), '-enc ') ) ) ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Network-capable LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }} detected in '{{ $prop($, 'cdx:osquery:category') }}'" mitigation: "Correlate with outbound connections and downloads, restrict unmanaged scripting/network utilities, and investigate encoded or remote-fetch command lines." attack: tactics: [TA0002, TA0010, TA0011] techniques: [T1041, T1059.001, T1105] evidence: | { "queryCategory": $prop($, 'cdx:osquery:category'), "lolbasNames": $prop($, 'cdx:lolbas:names'), "functions": $prop($, 'cdx:lolbas:functions'), "command": description, "cmdline": $prop($, 'cmdline'), "action": $prop($, 'action') } - id: OBOM-WIN-009 name: "Network-facing Windows listener is a LOLBAS execution helper" description: "A listening process backed by a LOLBAS execution helper is a strong remote-control or staging indicator on Windows endpoints." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'listening_ports' and $prop($, 'cdx:lolbas:matched') = 'true' and ( $safeStr($prop($, 'address')) = '0.0.0.0' or $safeStr($prop($, 'address')) = '::' ) and ( $listContains($prop($, 'cdx:lolbas:functions'), 'command') or $listContains($prop($, 'cdx:lolbas:functions'), 'script-execution') or $listContains($prop($, 'cdx:lolbas:functions'), 'shell') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Listening process '{{ name }}' on {{ $prop($, 'address') }}:{{ $prop($, 'port') }} matches LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }}" mitigation: "Review parent process lineage, isolate unmanaged listeners, and block or remove unexpected inbound admin or scripting surfaces." attack: tactics: [TA0002, TA0005, TA0011] techniques: [T1059, T1105, T1218] evidence: | { "lolbasNames": $prop($, 'cdx:lolbas:names'), "functions": $prop($, 'cdx:lolbas:functions'), "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "address": $prop($, 'address'), "port": $prop($, 'port') } - id: OBOM-WIN-010 name: "Windows persistence artifact uses LOLBAS with UAC-bypass context" description: "Persistence surfaces that reference LOLBAS helpers documented with UAC-bypass behavior should be treated as privilege-escalation investigations." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:lolbas:matched') = 'true' and $listContains($prop($, 'cdx:lolbas:contexts'), 'uac-bypass') and ( $prop($, 'cdx:osquery:category') = 'windows_run_keys' or $prop($, 'cdx:osquery:category') = 'scheduled_tasks' or $prop($, 'cdx:osquery:category') = 'startup_items' or $prop($, 'cdx:osquery:category') = 'wmi_cli_event_consumers' or $prop($, 'cdx:osquery:category') = 'wmi_cli_event_consumers_snapshot' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "UAC-bypass-capable LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }} detected in Windows persistence artifact '{{ name }}'" mitigation: "Investigate as a possible privilege-escalation foothold, remove unauthorized registration points, and enforce WDAC/AppLocker policies for known proxy binaries." attack: tactics: [TA0004, TA0005] techniques: [T1548.002, T1218] evidence: | { "queryCategory": $prop($, 'cdx:osquery:category'), "lolbasNames": $prop($, 'cdx:lolbas:names'), "contexts": $prop($, 'cdx:lolbas:contexts'), "path": $prop($, 'path'), "action": $prop($, 'action'), "command": description } - id: OBOM-MAC-004 name: "macOS launchd override disables Apple-managed service" description: "Launchd overrides disabling Apple-managed services can indicate tampering with built-in security or platform controls." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'launchd_overrides' and $safeStr($prop($, 'key')) = 'Disabled' and ( $safeStr($prop($, 'value')) = '1' or $lowercase($safeStr($prop($, 'value'))) = 'true' ) and $startsWith($safeStr($prop($, 'label')), 'com.apple.') ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Launchd override disables Apple-managed label '{{ $prop($, 'label') }}'" mitigation: "Review override provenance, restore approved launchd settings, and investigate unauthorized local configuration changes." evidence: | { "label": $prop($, 'label'), "key": $prop($, 'key'), "value": $prop($, 'value'), "uid": $prop($, 'uid'), "plistPath": $prop($, 'path') } - id: OBOM-MAC-005 name: "macOS Gatekeeper enforcement is disabled or weakened" description: "Gatekeeper should enforce assessments and identified-developer checks on managed macOS endpoints." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'gatekeeper' and ( $safeStr($prop($, 'assessments_enabled')) != '1' or $safeStr($prop($, 'dev_id_enabled')) != '1' ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Gatekeeper posture is weakened (assessments_enabled={{ $prop($, 'assessments_enabled') }}, dev_id_enabled={{ $prop($, 'dev_id_enabled') }})" mitigation: "Re-enable Gatekeeper assessments and identified-developer enforcement with spctl or an MDM configuration profile, then validate the host against baseline policy." evidence: | { "gatekeeperVersion": version, "opaqueVersion": description, "assessmentsEnabled": $prop($, 'assessments_enabled'), "devIdEnabled": $prop($, 'dev_id_enabled') } - id: OBOM-LNX-014 name: "Linux reverse shell behavior detected in live process telemetry" description: "A shell process with a live remote socket is a strong signal for hands-on-keyboard abuse, staging, or remote command execution." severity: critical category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'behavioral_reverse_shell' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Reverse-shell-like process behavior detected for '{{ name }}' reaching {{ $prop($, 'remote_address') }}:{{ $prop($, 'remote_port') }}" mitigation: "Isolate the host, review process lineage and parent shell context, and confirm whether the remote session is expected administrative activity." evidence: | { "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "parentCmdline": $prop($, 'parent_cmdline'), "remoteAddress": $prop($, 'remote_address'), "remotePort": $prop($, 'remote_port') } - id: OBOM-LNX-015 name: "Linux process uses LD_PRELOAD from writable or temporary path" description: "LD_PRELOAD pointing at user-controlled paths can indicate library hijacking, stealth persistence, or runtime tampering." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'ld_preload' and ( $contains($lowercase($safeStr($prop($, 'value'))), '/tmp/') or $contains($lowercase($safeStr($prop($, 'value'))), '/var/tmp/') or $contains($lowercase($safeStr($prop($, 'value'))), '/dev/shm/') or $contains($lowercase($safeStr($prop($, 'value'))), '/home/') or $contains($lowercase($safeStr($prop($, 'value'))), '/run/user/') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Process '{{ name }}' sets LD_PRELOAD to a risky path: {{ $prop($, 'value') }}" mitigation: "Review the preload library, remove unauthorized runtime injection, and compare the process with package ownership and startup history." evidence: | { "processPath": $prop($, 'path'), "cmdline": $prop($, 'cmdline'), "cwd": $prop($, 'cwd'), "ldPreload": $prop($, 'value') } - id: OBOM-LNX-016 name: "Linux cron entry fetches remote content or runs from writable path" description: "Cron jobs that fetch remote content or execute from temporary and user-writable paths are a high-signal persistence pattern." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'crontab_snapshot' and ( ( ( $contains($lowercase($safeStr($prop($, 'command'))), 'curl ') or $contains($lowercase($safeStr($prop($, 'command'))), 'wget ') ) and ( $contains($lowercase($safeStr($prop($, 'command'))), 'http://') or $contains($lowercase($safeStr($prop($, 'command'))), 'https://') or $contains($lowercase($safeStr($prop($, 'command'))), '| sh') or $contains($lowercase($safeStr($prop($, 'command'))), '| bash') ) ) or $contains($lowercase($safeStr($prop($, 'command'))), '/tmp/') or $contains($lowercase($safeStr($prop($, 'command'))), '/var/tmp/') or $contains($lowercase($safeStr($prop($, 'command'))), '/dev/shm/') or $contains($lowercase($safeStr($prop($, 'command'))), '/home/') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Cron entry '{{ name }}' has a risky command: {{ $prop($, 'command') }}" mitigation: "Move bootstrap downloads into a managed deployment path, review cron ownership, and remove unauthorized recurring tasks." evidence: | { "command": $prop($, 'command'), "path": $prop($, 'path'), "minute": $prop($, 'minute'), "hour": $prop($, 'hour') } - id: OBOM-LNX-017 name: "Linux sysctl posture diverges from common hardening baseline" description: "Weak ASLR and redirect-handling sysctl values are commonly called out in Lynis and CIS-style hardening reviews." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'sysctl_hardening' and ( (name = 'kernel.randomize_va_space' and $safeStr(version) != '2') or (name = 'kernel.kptr_restrict' and $safeStr(version) = '0') or ( ( name = 'net.ipv4.conf.all.accept_redirects' or name = 'net.ipv4.conf.default.accept_redirects' or name = 'net.ipv4.conf.all.send_redirects' or name = 'net.ipv4.conf.default.send_redirects' ) and $safeStr(version) = '1' ) ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Sysctl '{{ name }}' has a weak hardening value: {{ version }}" mitigation: "Align the sysctl value with your baseline, apply the setting persistently, and validate whether the deviation is truly required for this host." evidence: | { "sysctl": name, "value": version } - id: OBOM-LNX-018 name: "Linux temporary mount is missing key hardening flags" description: "Temporary and shared-memory mounts should usually carry noexec, nosuid, and nodev protections on hardened hosts." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'mount_hardening' and ( name = '/tmp' or name = '/var/tmp' or name = '/dev/shm' ) and ( $not($contains($lowercase($safeStr(version)), 'noexec')) or $not($contains($lowercase($safeStr(version)), 'nosuid')) or $not($contains($lowercase($safeStr(version)), 'nodev')) ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Mount '{{ name }}' is missing one or more hardening flags: {{ version }}" mitigation: "Review whether the mount should carry noexec, nosuid, and nodev, then enforce the chosen baseline through fstab, systemd mounts, or image build policy." evidence: | { "mount": name, "flags": version, "device": description, "type": $prop($, 'type') } - id: OBOM-LNX-019 name: "Live Linux runtime artifact matches GTFOBins execution helper" description: "GTFOBins-capable binaries in privileged or network-active runtime contexts deserve elevated review because they compress execution, persistence, and lateral movement tradecraft into familiar tools." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:gtfobins:matched') = 'true' and ( $prop($, 'cdx:osquery:category') = 'sudo_executions' or $prop($, 'cdx:osquery:category') = 'privilege_transitions' or $prop($, 'cdx:osquery:category') = 'privileged_listening_ports' or $prop($, 'cdx:osquery:category') = 'behavioral_reverse_shell' or ( $prop($, 'cdx:osquery:category') = 'elevated_processes' and ( $safeStr($prop($, 'package_source_hint')) = 'user-writable-path' or $contains($nullSafeProp($, 'path'), '/tmp/') or $contains($nullSafeProp($, 'path'), '/var/tmp/') or $contains($nullSafeProp($, 'path'), '/dev/shm/') or $contains($nullSafeProp($, 'path'), '/home/') or $contains($nullSafeProp($, 'path'), '/run/user/') or $contains($nullSafeProp($, 'cmdline'), '/tmp/') or $contains($nullSafeProp($, 'cmdline'), '/var/tmp/') or $contains($nullSafeProp($, 'cmdline'), '/dev/shm/') or $contains($nullSafeProp($, 'cmdline'), '/home/') or $contains($nullSafeProp($, 'cmdline'), '/run/user/') ) ) ) and ( $listContains($prop($, 'cdx:gtfobins:functions'), 'shell') or $listContains($prop($, 'cdx:gtfobins:functions'), 'command') or $listContains($prop($, 'cdx:gtfobins:functions'), 'reverse-shell') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Runtime artifact '{{ name }}' matches GTFOBins helper(s) {{ $prop($, 'cdx:gtfobins:names') }} in '{{ $prop($, 'cdx:osquery:category') }}'" mitigation: "Validate the binary provenance and operator intent, then review related sudo, privilege-transition, listener, and remote-connection telemetry before suppressing the finding." evidence: | { "queryCategory": $prop($, 'cdx:osquery:category'), "gtfobinsNames": $prop($, 'cdx:gtfobins:names'), "functions": $prop($, 'cdx:gtfobins:functions'), "contexts": $prop($, 'cdx:gtfobins:contexts'), "riskTags": $prop($, 'cdx:gtfobins:riskTags'), "path": $prop($, 'path'), "cmdline": $prop($, 'cmdline') } - id: OBOM-WIN-011 name: "Windows Public profile inbound firewall allow rule" description: "Inbound allow rules on the Public firewall profile can expose services beyond expected trust boundaries." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'windows_firewall_rules' and ( $lowercase($safeStr($prop($, 'enabled'))) = '1' or $lowercase($safeStr($prop($, 'enabled'))) = 'true' ) and $lowercase($safeStr($prop($, 'direction'))) = 'in' and $lowercase($safeStr($prop($, 'action'))) = 'allow' and $contains($lowercase($safeStr($prop($, 'profile'))), 'public') ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Firewall rule '{{ name }}' allows inbound traffic on the Public profile" mitigation: "Narrow the rule scope, move it to a more trusted profile when justified, and verify the backing service really needs public-network reachability." evidence: | { "action": $prop($, 'action'), "direction": $prop($, 'direction'), "profile": $prop($, 'profile'), "localPorts": $prop($, 'local_ports'), "remoteAddresses": $prop($, 'remote_addresses') } - id: OBOM-WIN-012 name: "Windows startup or listener binary has invalid Authenticode status" description: "Persistence and network-facing artifacts backed by definitively invalid Authenticode status deserve urgent review on managed Windows hosts." severity: critical category: obom-runtime dry-run-support: full condition: | components[ ( $prop($, 'cdx:osquery:category') = 'windows_run_keys' or $prop($, 'cdx:osquery:category') = 'scheduled_tasks' or $prop($, 'cdx:osquery:category') = 'startup_items' or $prop($, 'cdx:osquery:category') = 'services_snapshot' or $prop($, 'cdx:osquery:category') = 'listening_ports' ) and $not( $contains( $lowercase( $firstNonEmpty( $prop($, 'image_path'), $prop($, 'executable'), $prop($, 'action'), $prop($, 'module_path'), $prop($, 'path'), description, name ) ), '.lnk' ) ) and $hasProp($, 'cdx:windows:authenticode:status') and $lowercase($safeStr($prop($, 'cdx:windows:authenticode:status'))) != 'valid' and $lowercase($safeStr($prop($, 'cdx:windows:authenticode:status'))) != 'unknown' and $lowercase($safeStr($prop($, 'cdx:windows:authenticode:status'))) != 'unknownerror' and $lowercase($safeStr($prop($, 'cdx:windows:authenticode:status'))) != 'unknown_error' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Windows {{ $prop($, 'cdx:osquery:category') }} registration '{{ $firstNonEmpty($prop($, 'key'), $prop($, 'path'), name) }}' resolves to '{{ $firstNonEmpty($prop($, 'image_path'), $prop($, 'executable'), $prop($, 'action'), $prop($, 'module_path'), $prop($, 'path'), description, name) }}' with Authenticode status {{ $prop($, 'cdx:windows:authenticode:status') }}" mitigation: "Review the startup/listener registration and backing binary together, treat the executable as suspicious until provenance is confirmed, compare the hash and signer with an approved baseline, and investigate who registered the surface." evidence: | { "queryCategory": $prop($, 'cdx:osquery:category'), "registrationPath": $firstNonEmpty($prop($, 'key'), $prop($, 'path'), name), "targetPath": $firstNonEmpty($prop($, 'image_path'), $prop($, 'executable'), $prop($, 'action'), $prop($, 'module_path'), $prop($, 'path'), description), "path": $prop($, 'path'), "imagePath": $prop($, 'image_path'), "action": $prop($, 'action'), "authenticodeStatus": $prop($, 'cdx:windows:authenticode:status'), "signerSubject": $prop($, 'cdx:windows:authenticode:signerSubject') } - id: OBOM-WIN-014 name: "Windows user-controlled startup or listener binary has unresolved Authenticode status" description: "Unknown Authenticode state on binaries launched from user-controlled startup or network-facing surfaces deserves review even when Windows cannot conclusively mark the signature invalid." severity: high category: obom-runtime dry-run-support: full condition: | components[ ( $prop($, 'cdx:osquery:category') = 'windows_run_keys' or $prop($, 'cdx:osquery:category') = 'scheduled_tasks' or $prop($, 'cdx:osquery:category') = 'startup_items' or $prop($, 'cdx:osquery:category') = 'services_snapshot' or $prop($, 'cdx:osquery:category') = 'listening_ports' ) and $not( $contains( $lowercase( $firstNonEmpty( $prop($, 'image_path'), $prop($, 'executable'), $prop($, 'action'), $prop($, 'module_path'), $prop($, 'path'), description, name ) ), '.lnk' ) ) and $hasProp($, 'cdx:windows:authenticode:status') and ( $lowercase($safeStr($prop($, 'cdx:windows:authenticode:status'))) = 'unknown' or $lowercase($safeStr($prop($, 'cdx:windows:authenticode:status'))) = 'unknownerror' or $lowercase($safeStr($prop($, 'cdx:windows:authenticode:status'))) = 'unknown_error' ) and ( $isWindowsUserControlledPath( $firstNonEmpty( $prop($, 'image_path'), $prop($, 'executable'), $prop($, 'action'), description, $prop($, 'path'), name ) ) or $isWindowsUserControlledPath( $firstNonEmpty($prop($, 'path'), $prop($, 'key'), name) ) ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Windows {{ $prop($, 'cdx:osquery:category') }} registration '{{ $firstNonEmpty($prop($, 'key'), $prop($, 'path'), name) }}' resolves to '{{ $firstNonEmpty($prop($, 'image_path'), $prop($, 'executable'), $prop($, 'action'), $prop($, 'module_path'), $prop($, 'path'), description, name) }}' with unresolved Authenticode status {{ $prop($, 'cdx:windows:authenticode:status') }}" mitigation: "Review the startup/listener registration and backing binary together, confirm signature collection completed successfully, compare the hash and signer with an approved baseline, and prioritize cleanup of user-controlled execution paths." evidence: | { "queryCategory": $prop($, 'cdx:osquery:category'), "registrationPath": $firstNonEmpty($prop($, 'key'), $prop($, 'path'), name), "targetPath": $firstNonEmpty($prop($, 'image_path'), $prop($, 'executable'), $prop($, 'action'), $prop($, 'module_path'), $prop($, 'path'), description), "path": $prop($, 'path'), "imagePath": $prop($, 'image_path'), "action": $prop($, 'action'), "authenticodeStatus": $prop($, 'cdx:windows:authenticode:status'), "signerSubject": $prop($, 'cdx:windows:authenticode:signerSubject') } - id: OBOM-WIN-013 name: "Windows host has no active WDAC policies" description: "A managed Windows endpoint with no active WDAC policy loses an important application control and allowlisting layer." severity: high category: obom-runtime dry-run-support: full condition: | components[ $hasProp($, 'cdx:windows:wdac:activePolicyCount') and $safeStr($prop($, 'cdx:windows:wdac:activePolicyCount')) = '0' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Windows Defender Application Control is not enforcing any active policy on this host" mitigation: "Deploy or restore the approved WDAC policy set and review why policy enforcement is absent on the endpoint." evidence: | { "component": name, "activePolicyCount": $prop($, 'cdx:windows:wdac:activePolicyCount') } - id: OBOM-MAC-006 name: "macOS running app launches from Downloads, Desktop, or temporary path" description: "User-space execution from Downloads, Desktop, or temporary folders is a useful triage signal for ad hoc tooling and unreviewed payloads." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'running_apps' and ( $contains($safeStr($prop($, 'bundle_path')), '/Users/') and ( $contains($safeStr($prop($, 'bundle_path')), '/Downloads/') or $contains($safeStr($prop($, 'bundle_path')), '/Desktop/') or $contains($safeStr($prop($, 'bundle_path')), '/tmp/') ) ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Running app '{{ name }}' originates from a risky user path: {{ $prop($, 'bundle_path') }}" mitigation: "Validate the app origin, move approved software into managed application paths, and investigate unexpected user-land execution." evidence: | { "bundlePath": $prop($, 'bundle_path'), "bundleExecutable": $prop($, 'bundle_executable'), "isFinishedLaunching": $prop($, 'is_finished_launching') } - id: OBOM-MAC-007 name: "macOS startup or application artifact failed notarization assessment" description: "Launchd, startup, and application artifacts with rejected notarization assessment deserve review before they are treated as trusted software." severity: high category: obom-runtime dry-run-support: full condition: | components[ ( ( ( $prop($, 'cdx:osquery:category') = 'launchd_services' or $prop($, 'cdx:osquery:category') = 'startup_items' ) and ( $not( $isDarwinSystemPath( $firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path')) ) ) or $not( $isDarwinSystemPath( $firstNonEmpty( $prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path') ) ) ) ) ) or ( $prop($, 'cdx:osquery:category') = 'running_apps' and $not( $isDarwinSystemPath( $firstNonEmpty($prop($, 'bundle_path'), $prop($, 'path')) ) ) ) ) and $hasProp($, 'cdx:darwin:notarization:assessment') and $lowercase($safeStr($prop($, 'cdx:darwin:notarization:assessment'))) = 'rejected' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "macOS {{ $prop($, 'cdx:osquery:category') }} artifact '{{ name }}' uses registration path '{{ $firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'), name) }}' and target '{{ $firstNonEmpty($prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path'), name) }}' with notarization assessment {{ $prop($, 'cdx:darwin:notarization:assessment') }}" mitigation: "Review the registration/config path and backing executable together, confirm the signer or team identifier against approved inventory, and remove or quarantine unexpected startup items or app bundles." evidence: | { "queryCategory": $prop($, 'cdx:osquery:category'), "registrationPath": $firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path')), "targetPath": $firstNonEmpty($prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path')), "label": $prop($, 'label'), "path": $prop($, 'path'), "bundlePath": $prop($, 'bundle_path'), "bundleExecutable": $prop($, 'bundle_executable'), "program": $prop($, 'program'), "programArguments": $prop($, 'program_arguments'), "teamIdentifier": $prop($, 'cdx:darwin:codesign:teamIdentifier'), "notarizationAssessment": $prop($, 'cdx:darwin:notarization:assessment') } - id: OBOM-MAC-008 name: "macOS user-controlled startup or application artifact has unknown notarization assessment" description: "Launchd, startup, and application artifacts with unknown notarization assessment should be reviewed when they execute from user-controlled macOS paths." severity: medium category: obom-runtime dry-run-support: full condition: | components[ ( ( ( $prop($, 'cdx:osquery:category') = 'launchd_services' or $prop($, 'cdx:osquery:category') = 'startup_items' ) and ( $not( $isDarwinSystemPath( $firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path')) ) ) or $not( $isDarwinSystemPath( $firstNonEmpty( $prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path') ) ) ) ) ) or ( $prop($, 'cdx:osquery:category') = 'running_apps' and $not( $isDarwinSystemPath( $firstNonEmpty($prop($, 'bundle_path'), $prop($, 'path')) ) ) ) ) and $hasProp($, 'cdx:darwin:notarization:assessment') and $lowercase($safeStr($prop($, 'cdx:darwin:notarization:assessment'))) = 'unknown' and ( $contains( $lowercase($firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'))), '/users/' ) or $contains( $lowercase( $firstNonEmpty( $prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path') ) ), '/users/' ) or $contains( $lowercase($firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'))), '/downloads/' ) or $contains( $lowercase( $firstNonEmpty( $prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path') ) ), '/downloads/' ) or $contains( $lowercase($firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'))), '/desktop/' ) or $contains( $lowercase( $firstNonEmpty( $prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path') ) ), '/desktop/' ) or $contains( $lowercase($firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'))), '/tmp/' ) or $contains( $lowercase( $firstNonEmpty( $prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path') ) ), '/tmp/' ) or $contains( $lowercase($firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'))), '/private/var/' ) or $contains( $lowercase( $firstNonEmpty( $prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path') ) ), '/private/var/' ) ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "macOS {{ $prop($, 'cdx:osquery:category') }} artifact '{{ name }}' uses registration path '{{ $firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'), name) }}' and target '{{ $firstNonEmpty($prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path'), name) }}' with unknown notarization assessment on a user-controlled path" mitigation: "Review the registration/config path and backing executable together, re-check notarization and code-signing metadata, and move approved software out of user-controlled paths before suppressing the finding." evidence: | { "queryCategory": $prop($, 'cdx:osquery:category'), "registrationPath": $firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path')), "targetPath": $firstNonEmpty($prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path')), "label": $prop($, 'label'), "path": $prop($, 'path'), "bundlePath": $prop($, 'bundle_path'), "bundleExecutable": $prop($, 'bundle_executable'), "program": $prop($, 'program'), "programArguments": $prop($, 'program_arguments'), "teamIdentifier": $prop($, 'cdx:darwin:codesign:teamIdentifier'), "notarizationAssessment": $prop($, 'cdx:darwin:notarization:assessment') } - id: OBOM-LNX-020 name: "Privileged Linux listener exposed on a non-local interface from writable or unclassified path" description: "Root or service-account listeners bound to all interfaces from user-controlled or unclassified paths are high-signal persistence or runtime-drift indicators." severity: high category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'privileged_listening_ports' and ( $safeStr($prop($, 'address')) = '0.0.0.0' or $safeStr($prop($, 'address')) = '::' ) and $safeStr($prop($, 'port')) != '22' and $safeStr($prop($, 'port')) != '53' and $safeStr(name) != 'systemd-resolved' and $safeStr(name) != 'avahi-daemon' and $safeStr(name) != 'cupsd' and ( $safeStr($prop($, 'package_source_hint')) = 'user-writable-path' or $safeStr($prop($, 'package_source_hint')) = 'unclassified-path' or $contains($lowercase($nullSafeProp($, 'path')), '/tmp/') or $contains($lowercase($nullSafeProp($, 'path')), '/var/tmp/') or $contains($lowercase($nullSafeProp($, 'path')), '/dev/shm/') or $contains($lowercase($nullSafeProp($, 'path')), '/home/') or $contains($lowercase($nullSafeProp($, 'path')), '/run/user/') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Privileged listener '{{ name }}' is reachable on {{ $prop($, 'address') }}:{{ $prop($, 'port') }} from risky path '{{ $firstNonEmpty($prop($, 'path'), name) }}'" mitigation: "Treat the listener path as a high-priority review item, validate package ownership and recent changes, and remove or isolate privileged services sourced from writable or unclassified locations." evidence: | { "account": $prop($, 'account'), "pid": $prop($, 'pid'), "address": $prop($, 'address'), "port": $prop($, 'port'), "path": $prop($, 'path'), "serviceUnit": $prop($, 'service_unit'), "packageSourceHint": $prop($, 'package_source_hint'), "parentCmdline": $prop($, 'parent_cmdline') } - id: OBOM-LNX-021 name: "Linux APT source uses plaintext HTTP transport" description: "Plain HTTP APT mirrors weaken transport integrity and are often called out in baseline hardening reviews even when package signatures remain enabled." severity: medium category: obom-runtime dry-run-support: full condition: | components[ ( $prop($, 'cdx:osquery:category') = 'apt_sources' or $prop($, 'cdx:osquery:category') = 'apt_ppa_sources' ) and $startsWith($lowercase($safeStr($prop($, 'base_uri'))), 'http://') ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'source') } message: "APT source '{{ name }}' still uses plaintext HTTP transport: {{ $prop($, 'base_uri') }}" mitigation: "Move the repository to HTTPS or an authenticated local mirror, then confirm the source file and mirror policy match your approved package-trust baseline." evidence: | { "sourceFile": $prop($, 'source'), "baseUri": $prop($, 'base_uri'), "release": $prop($, 'release'), "components": $prop($, 'components'), "maintainer": $prop($, 'maintainer') } - id: OBOM-LNX-022 name: "Linux authorized_keys entry uses deprecated ssh-rsa algorithm" description: "ssh-rsa authorized_keys entries rely on an older signature algorithm profile and should be reviewed during SSH hardening work." severity: medium category: obom-runtime dry-run-support: full condition: | components[ $prop($, 'cdx:osquery:category') = 'authorized_keys_snapshot' and $lowercase($safeStr(version)) = 'ssh-rsa' ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'key_file') } message: "Authorized key for account '{{ name }}' in '{{ $prop($, 'key_file') }}' still uses deprecated ssh-rsa" mitigation: "Replace the key with ed25519 or a modern RSA/SHA-2 compatible key, then re-review key restrictions and account ownership before retaining access." evidence: | { "account": name, "algorithm": version, "keyFile": $prop($, 'key_file'), "comment": description, "uid": $prop($, 'uid') }