anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(ttp): normalise lifter:<owner>_<name> match.kind prefix

Browse Source 
E.3.9.1 prerequisite. Rules R0031-R0040 now use lifter:behavioral_*,
R0041 (open_relay) uses lifter:email_open_relay; the rest of the email,
canary, and intel cohorts already conformed. Each lifter at E.3.9-E.3.12
will claim its rules via str.startswith('lifter:<owner>_'), keeping the
ownership routing explicit and trivially extensible.

R0001-R0006 / R0030 lifter:* rules are E.3.13 (Identity/Credential)
territory and stay as-is.
This commit is contained in:
anti
2026-05-01 20:10:33 -04:00
parent e7531ee756
commit 321ea7a2a6
11 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
rules/ttp/R0031.yaml
View File

@@ -8,7 +8,7 @@ description: |
applies_to: applies_to:
- session - session
match: match:
kind: lifter:beaconing kind: lifter:behavioral_beaconing
max_jitter_pct: 0.15 max_jitter_pct: 0.15
min_interval_s: 10 min_interval_s: 10
emits: emits:

2
rules/ttp/R0032.yaml
View File

@@ -8,7 +8,7 @@ description: |
applies_to: applies_to:
- session - session
match: match:
kind: lifter:data_destruction kind: lifter:behavioral_data_destruction
patterns: patterns:
- 'FLUSHALL' - 'FLUSHALL'
- 'DROP\\s+DATABASE' - 'DROP\\s+DATABASE'

2
rules/ttp/R0033.yaml
View File

@@ -9,7 +9,7 @@ applies_to:
- session - session
- email - email
match: match:
kind: lifter:ransom_note kind: lifter:behavioral_ransom_note
require_btc_or_xmr: true require_btc_or_xmr: true
payment_keywords: payment_keywords:
- bitcoin - bitcoin

2
rules/ttp/R0034.yaml
View File

@@ -8,7 +8,7 @@ description: |
applies_to: applies_to:
- session - session
match: match:
kind: lifter:exfil_over_web kind: lifter:behavioral_exfil_over_web
min_payload_bytes: 1048576 min_payload_bytes: 1048576
request_threshold: 50 request_threshold: 50
emits: emits:

2
rules/ttp/R0035.yaml
View File

@@ -8,7 +8,7 @@ description: |
applies_to: applies_to:
- session - session
match: match:
kind: lifter:db_mass_read kind: lifter:behavioral_db_mass_read
min_rows: 10000 min_rows: 10000
min_bytes: 5242880 min_bytes: 5242880
emits: emits:

2
rules/ttp/R0036.yaml
View File

@@ -9,7 +9,7 @@ applies_to:
- session - session
- http_request - http_request
match: match:
kind: lifter:credentials_in_files kind: lifter:behavioral_credentials_in_files
paths: paths:
- '\\.env' - '\\.env'
- '\\.git/config' - '\\.git/config'

2
rules/ttp/R0037.yaml
View File

@@ -8,7 +8,7 @@ applies_to:
- session - session
- http_request - http_request
match: match:
kind: lifter:k8s_sa_token kind: lifter:behavioral_k8s_sa_token
paths: paths:
- '/api/v1/namespaces/[^/]+/secrets' - '/api/v1/namespaces/[^/]+/secrets'
- '/var/run/secrets/kubernetes\\.io/serviceaccount' - '/var/run/secrets/kubernetes\\.io/serviceaccount'

2
rules/ttp/R0038.yaml
View File

@@ -8,7 +8,7 @@ description: |
applies_to: applies_to:
- session - session
match: match:
kind: lifter:docker_escape kind: lifter:behavioral_docker_escape
signals: signals:
- 'privileged:true' - 'privileged:true'
- 'bind:/:/' - 'bind:/:/'

2
rules/ttp/R0039.yaml
View File

@@ -8,7 +8,7 @@ description: |
applies_to: applies_to:
- session - session
match: match:
kind: lifter:llmnr_poisoning kind: lifter:behavioral_llmnr_poisoning
emits: emits:
- tactic: TA0009 - tactic: TA0009
technique_id: T1557 technique_id: T1557

2
rules/ttp/R0040.yaml
View File

@@ -7,7 +7,7 @@ description: |
applies_to: applies_to:
- session - session
match: match:
kind: lifter:tftp_router_config kind: lifter:behavioral_tftp_router_config
filename_patterns: filename_patterns:
- '.*-confg$' - '.*-confg$'
- '.*\\.cfg$' - '.*\\.cfg$'

2
rules/ttp/R0041.yaml
View File

@@ -7,7 +7,7 @@ description: |
applies_to: applies_to:
- email - email
match: match:
kind: lifter:open_relay kind: lifter:email_open_relay
rcpt_threshold: 10 rcpt_threshold: 10
require_foreign_from: true require_foreign_from: true
emits: emits: