feat(ttp): E.3.8 R0031-R0040 behavioral cohort

10 YAMLs for the behavioral / cross-event cohort per Appendix B:
beaconing, data destruction, ransom note, web exfil, DB mass-read,
credentials-in-files, k8s SA token harvest, Docker host escape,
LLMNR poisoning, TFTP router-config retrieval.

Every rule is lifter-bound (BehavioralLifter / IdentityLifter) —
the v0 RuleEngine cannot count, aggregate, or compose cross-event
signals, so these YAMLs declare the technique mappings the lifter
will consume by rule_id at E.3.9. Their match specs use a
'kind: lifter:*' shape inert to the regex matcher.

test_behavioral_rules.py asserts each YAML compiles, none fire
from the v0 engine (FP regression guard against a YAML drifting
into a regex), and an xfail(strict=True, reason='impl phase E.3.9')
precision case that will flip green when the lifter lands.

rules/ttp/R0040.yaml

@@ -0,0 +1,23 @@
+rule_id: R0040
+rule_version: 1
+name: tftp_router_config_retrieval
+description: |
+  TFTP RRQ for a router-config-shaped filename (*-confg, *.cfg,
+  startup-config, running-config). Per Appendix A.4.
+applies_to:
+  - session
+match:
+  kind: lifter:tftp_router_config
+  filename_patterns:
+    - '.*-confg$'
+    - '.*\\.cfg$'
+    - 'startup-config'
+    - 'running-config'
+emits:
+  - tactic: TA0009
+    technique_id: T1602
+    sub_technique_id: T1602.002
+    confidence: 0.9
+evidence_fields:
+  - tftp_filename
+  - source_host