feat(ttp): Ipv6LeakLifter + R0059 rule for IPv6 link-local opsec failures
Ipv6LeakLifter subscribes to source_kind="ipv6_leak" events from both the passive sniffer and active prober. Emits T1090 (Proxy) under TA0011 (C2) when fe80:: source address is observed — the attacker's VPN only tunnels IPv4 so their link-local IID leaks their NIC identity. Rule R0059 sets base confidence 0.85; iid_kind in the evidence carries the per-observation strength (eui64 = MAC-derived, deterministic; stable_privacy = RFC 7217; temporary = RFC 4941).
This commit is contained in:
27
rules/ttp/R0059.yaml
Normal file
27
rules/ttp/R0059.yaml
Normal file
@@ -0,0 +1,27 @@
|
||||
rule_id: R0059
|
||||
rule_version: 1
|
||||
last_reviewed: "2026-05-17"
|
||||
next_review: "2026-08-17"
|
||||
name: ipv6_link_local_leak
|
||||
description: |
|
||||
Attacker's IPv6 link-local address (fe80::/10) observed despite operating
|
||||
behind an IPv4-only VPN. The IID is derived from the NIC MAC address
|
||||
(EUI-64) or a stable per-host value (RFC 7217 stable-privacy), either of
|
||||
which survives VPN/IP rotation and constitutes a persistent host fingerprint.
|
||||
Passive sniffer and active ICMPv6 solicitation both feed this rule.
|
||||
applies_to:
|
||||
- ipv6_leak
|
||||
match:
|
||||
kind: lifter:ipv6_link_local_leak
|
||||
emits:
|
||||
- tactic: TA0011
|
||||
technique_id: T1090
|
||||
confidence: 0.85
|
||||
evidence_fields:
|
||||
- addr
|
||||
- mac_oui
|
||||
- iid_kind
|
||||
- vector
|
||||
- on_iface
|
||||
- attacker_v4
|
||||
- observed_at
|
||||
Reference in New Issue
Block a user