feat(ttp): E.3.8 R0031-R0040 behavioral cohort
10 YAMLs for the behavioral / cross-event cohort per Appendix B: beaconing, data destruction, ransom note, web exfil, DB mass-read, credentials-in-files, k8s SA token harvest, Docker host escape, LLMNR poisoning, TFTP router-config retrieval. Every rule is lifter-bound (BehavioralLifter / IdentityLifter) — the v0 RuleEngine cannot count, aggregate, or compose cross-event signals, so these YAMLs declare the technique mappings the lifter will consume by rule_id at E.3.9. Their match specs use a 'kind: lifter:*' shape inert to the regex matcher. test_behavioral_rules.py asserts each YAML compiles, none fire from the v0 engine (FP regression guard against a YAML drifting into a regex), and an xfail(strict=True, reason='impl phase E.3.9') precision case that will flip green when the lifter lands.
This commit is contained in:
23
rules/ttp/R0031.yaml
Normal file
23
rules/ttp/R0031.yaml
Normal file
@@ -0,0 +1,23 @@
|
||||
rule_id: R0031
|
||||
rule_version: 1
|
||||
name: beaconing
|
||||
description: |
|
||||
Periodic outbound activity with low jitter — classic C2 beacon.
|
||||
Read from AttackerBehavior.beacon_interval_s / .beacon_jitter_pct
|
||||
by the BehavioralLifter (E.3.9).
|
||||
applies_to:
|
||||
- session
|
||||
match:
|
||||
kind: lifter:beaconing
|
||||
max_jitter_pct: 0.15
|
||||
min_interval_s: 10
|
||||
emits:
|
||||
- tactic: TA0011
|
||||
technique_id: T1071
|
||||
confidence: 0.8
|
||||
- tactic: TA0011
|
||||
technique_id: T1029
|
||||
confidence: 0.85
|
||||
evidence_fields:
|
||||
- beacon_interval_s
|
||||
- beacon_jitter_pct
|
||||
Reference in New Issue
Block a user