diff --git a/rules/ttp/R0031.yaml b/rules/ttp/R0031.yaml
index 14b184b0..e7e8b49c 100644
--- a/rules/ttp/R0031.yaml
+++ b/rules/ttp/R0031.yaml
@@ -8,7 +8,7 @@ description: |
 applies_to:
   - session
 match:
-  kind: lifter:beaconing
+  kind: lifter:behavioral_beaconing
   max_jitter_pct: 0.15
   min_interval_s: 10
 emits:
diff --git a/rules/ttp/R0032.yaml b/rules/ttp/R0032.yaml
index 127990d2..b9c9d4b1 100644
--- a/rules/ttp/R0032.yaml
+++ b/rules/ttp/R0032.yaml
@@ -8,7 +8,7 @@ description: |
 applies_to:
   - session
 match:
-  kind: lifter:data_destruction
+  kind: lifter:behavioral_data_destruction
   patterns:
     - 'FLUSHALL'
     - 'DROP\\s+DATABASE'
diff --git a/rules/ttp/R0033.yaml b/rules/ttp/R0033.yaml
index ebb99f16..62386fa4 100644
--- a/rules/ttp/R0033.yaml
+++ b/rules/ttp/R0033.yaml
@@ -9,7 +9,7 @@ applies_to:
   - session
   - email
 match:
-  kind: lifter:ransom_note
+  kind: lifter:behavioral_ransom_note
   require_btc_or_xmr: true
   payment_keywords:
     - bitcoin
diff --git a/rules/ttp/R0034.yaml b/rules/ttp/R0034.yaml
index 9516cfa5..bfa27be5 100644
--- a/rules/ttp/R0034.yaml
+++ b/rules/ttp/R0034.yaml
@@ -8,7 +8,7 @@ description: |
 applies_to:
   - session
 match:
-  kind: lifter:exfil_over_web
+  kind: lifter:behavioral_exfil_over_web
   min_payload_bytes: 1048576
   request_threshold: 50
 emits:
diff --git a/rules/ttp/R0035.yaml b/rules/ttp/R0035.yaml
index 7728711d..deda538a 100644
--- a/rules/ttp/R0035.yaml
+++ b/rules/ttp/R0035.yaml
@@ -8,7 +8,7 @@ description: |
 applies_to:
   - session
 match:
-  kind: lifter:db_mass_read
+  kind: lifter:behavioral_db_mass_read
   min_rows: 10000
   min_bytes: 5242880
 emits:
diff --git a/rules/ttp/R0036.yaml b/rules/ttp/R0036.yaml
index 7b831291..a4254e02 100644
--- a/rules/ttp/R0036.yaml
+++ b/rules/ttp/R0036.yaml
@@ -9,7 +9,7 @@ applies_to:
   - session
   - http_request
 match:
-  kind: lifter:credentials_in_files
+  kind: lifter:behavioral_credentials_in_files
   paths:
     - '\\.env'
     - '\\.git/config'
diff --git a/rules/ttp/R0037.yaml b/rules/ttp/R0037.yaml
index ef7c9312..df83e282 100644
--- a/rules/ttp/R0037.yaml
+++ b/rules/ttp/R0037.yaml
@@ -8,7 +8,7 @@ applies_to:
   - session
   - http_request
 match:
-  kind: lifter:k8s_sa_token
+  kind: lifter:behavioral_k8s_sa_token
   paths:
     - '/api/v1/namespaces/[^/]+/secrets'
     - '/var/run/secrets/kubernetes\\.io/serviceaccount'
diff --git a/rules/ttp/R0038.yaml b/rules/ttp/R0038.yaml
index 3b0404d3..89c96f09 100644
--- a/rules/ttp/R0038.yaml
+++ b/rules/ttp/R0038.yaml
@@ -8,7 +8,7 @@ description: |
 applies_to:
   - session
 match:
-  kind: lifter:docker_escape
+  kind: lifter:behavioral_docker_escape
   signals:
     - 'privileged:true'
     - 'bind:/:/'
diff --git a/rules/ttp/R0039.yaml b/rules/ttp/R0039.yaml
index 8b7c6cc1..13689db7 100644
--- a/rules/ttp/R0039.yaml
+++ b/rules/ttp/R0039.yaml
@@ -8,7 +8,7 @@ description: |
 applies_to:
   - session
 match:
-  kind: lifter:llmnr_poisoning
+  kind: lifter:behavioral_llmnr_poisoning
 emits:
   - tactic: TA0009
     technique_id: T1557
diff --git a/rules/ttp/R0040.yaml b/rules/ttp/R0040.yaml
index 100b5ec8..2d85c4a7 100644
--- a/rules/ttp/R0040.yaml
+++ b/rules/ttp/R0040.yaml
@@ -7,7 +7,7 @@ description: |
 applies_to:
   - session
 match:
-  kind: lifter:tftp_router_config
+  kind: lifter:behavioral_tftp_router_config
   filename_patterns:
     - '.*-confg$'
     - '.*\\.cfg$'
diff --git a/rules/ttp/R0041.yaml b/rules/ttp/R0041.yaml
index bdbbf724..77d258a9 100644
--- a/rules/ttp/R0041.yaml
+++ b/rules/ttp/R0041.yaml
@@ -7,7 +7,7 @@ description: |
 applies_to:
   - email
 match:
-  kind: lifter:open_relay
+  kind: lifter:email_open_relay
   rcpt_threshold: 10
   require_foreign_from: true
 emits: