refactor(ttp): normalise lifter:<owner>_<name> match.kind prefix

E.3.9.1 prerequisite. Rules R0031-R0040 now use lifter:behavioral_*, R0041 (open_relay) uses lifter:email_open_relay; the rest of the email, canary, and intel cohorts already conformed. Each lifter at E.3.9-E.3.12 will claim its rules via str.startswith('lifter:<owner>_'), keeping the ownership routing explicit and trivially extensible. R0001-R0006 / R0030 lifter:* rules are E.3.13 (Identity/Credential) territory and stay as-is.
2026-05-01 20:10:33 -04:00
parent e7531ee756
commit 321ea7a2a6
11 changed files with 11 additions and 11 deletions
--- a/rules/ttp/R0031.yaml
+++ b/rules/ttp/R0031.yaml
@@ -8,7 +8,7 @@ description: |
 applies_to:
  - session
 match:
-  kind: lifter:beaconing
+  kind: lifter:behavioral_beaconing
  max_jitter_pct: 0.15
  min_interval_s: 10
 emits:
--- a/rules/ttp/R0032.yaml
+++ b/rules/ttp/R0032.yaml
@@ -8,7 +8,7 @@ description: |
 applies_to:
  - session
 match:
-  kind: lifter:data_destruction
+  kind: lifter:behavioral_data_destruction
  patterns:
    - 'FLUSHALL'
    - 'DROP\\s+DATABASE'
--- a/rules/ttp/R0033.yaml
+++ b/rules/ttp/R0033.yaml
@@ -9,7 +9,7 @@ applies_to:
  - session
  - email
 match:
-  kind: lifter:ransom_note
+  kind: lifter:behavioral_ransom_note
  require_btc_or_xmr: true
  payment_keywords:
    - bitcoin
--- a/rules/ttp/R0034.yaml
+++ b/rules/ttp/R0034.yaml
@@ -8,7 +8,7 @@ description: |
 applies_to:
  - session
 match:
-  kind: lifter:exfil_over_web
+  kind: lifter:behavioral_exfil_over_web
  min_payload_bytes: 1048576
  request_threshold: 50
 emits:
--- a/rules/ttp/R0035.yaml
+++ b/rules/ttp/R0035.yaml
@@ -8,7 +8,7 @@ description: |
 applies_to:
  - session
 match:
-  kind: lifter:db_mass_read
+  kind: lifter:behavioral_db_mass_read
  min_rows: 10000
  min_bytes: 5242880
 emits:
--- a/rules/ttp/R0036.yaml
+++ b/rules/ttp/R0036.yaml
@@ -9,7 +9,7 @@ applies_to:
  - session
  - http_request
 match:
-  kind: lifter:credentials_in_files
+  kind: lifter:behavioral_credentials_in_files
  paths:
    - '\\.env'
    - '\\.git/config'
--- a/rules/ttp/R0037.yaml
+++ b/rules/ttp/R0037.yaml
@@ -8,7 +8,7 @@ applies_to:
  - session
  - http_request
 match:
-  kind: lifter:k8s_sa_token
+  kind: lifter:behavioral_k8s_sa_token
  paths:
    - '/api/v1/namespaces/[^/]+/secrets'
    - '/var/run/secrets/kubernetes\\.io/serviceaccount'
--- a/rules/ttp/R0038.yaml
+++ b/rules/ttp/R0038.yaml
@@ -8,7 +8,7 @@ description: |
 applies_to:
  - session
 match:
-  kind: lifter:docker_escape
+  kind: lifter:behavioral_docker_escape
  signals:
    - 'privileged:true'
    - 'bind:/:/'
--- a/rules/ttp/R0039.yaml
+++ b/rules/ttp/R0039.yaml
@@ -8,7 +8,7 @@ description: |
 applies_to:
  - session
 match:
-  kind: lifter:llmnr_poisoning
+  kind: lifter:behavioral_llmnr_poisoning
 emits:
  - tactic: TA0009
    technique_id: T1557
--- a/rules/ttp/R0040.yaml
+++ b/rules/ttp/R0040.yaml
@@ -7,7 +7,7 @@ description: |
 applies_to:
  - session
 match:
-  kind: lifter:tftp_router_config
+  kind: lifter:behavioral_tftp_router_config
  filename_patterns:
    - '.*-confg$'
    - '.*\\.cfg$'
--- a/rules/ttp/R0041.yaml
+++ b/rules/ttp/R0041.yaml
@@ -7,7 +7,7 @@ description: |
 applies_to:
  - email
 match:
-  kind: lifter:open_relay
+  kind: lifter:email_open_relay
  rcpt_threshold: 10
  require_foreign_from: true
 emits: