feat(ttp): E.3.8 R0041-R0048 email cohort
8 YAMLs for the email cohort per Appendix B: open-relay abuse, mass phishing, phishing-kit X-Mailer signatures, IDN/punycode URLs, sender masquerade, malicious attachment, BEC, encoded payload in body. EmailLifter (E.3.12) consumes by rule_id. test_email_rules.py: YAML-present + inert-in-v0 + xfail(strict) precision case gated on E.3.12.
This commit is contained in:
33
rules/ttp/R0046.yaml
Normal file
33
rules/ttp/R0046.yaml
Normal file
@@ -0,0 +1,33 @@
|
||||
rule_id: R0046
|
||||
rule_version: 1
|
||||
name: malicious_attachment
|
||||
description: |
|
||||
Macro-bearing Office doc, .lnk, .iso/.img, password-protected
|
||||
archive, or HTML-smuggling pattern. Lifter inspects the
|
||||
attachment table (file_type + ole_macros + maldoc verdict).
|
||||
applies_to:
|
||||
- email
|
||||
match:
|
||||
kind: lifter:email_malicious_attachment
|
||||
triggers:
|
||||
- office_macro
|
||||
- lnk
|
||||
- iso
|
||||
- img
|
||||
- protected_archive
|
||||
- html_smuggling
|
||||
- mal_hash_match
|
||||
emits:
|
||||
- tactic: TA0002
|
||||
technique_id: T1204
|
||||
sub_technique_id: T1204.002
|
||||
confidence: 0.9
|
||||
- tactic: TA0001
|
||||
technique_id: T1566
|
||||
sub_technique_id: T1566.001
|
||||
confidence: 0.9
|
||||
evidence_fields:
|
||||
- filename
|
||||
- mime_type
|
||||
- matched_trigger
|
||||
- file_hash
|
||||
Reference in New Issue
Block a user