feat(ttp): E.3.8 R0054-R0058 intel cohort + mark step done

5 YAMLs for the intel-verdict cohort per Appendix B / A.10:
AbuseIPDB category mapping, GreyNoise classification, Feodo
Tracker hit, ThreatFox IOC type, aggregate-malicious bump-only.
IntelLifter (E.3.10) consumes by rule_id and tolerates absence
silently (null provider column → no tag).

R0058 is the meta bump-only rule — emits a single confidence=0.0
sentinel so it validates and surfaces in the catalogue, but the
repository's sub-0.3 drop ensures no fresh tag persists if the
fanout fires accidentally. test_intel_rules.py pins that
zero-confidence invariant.

Marks E.3.8 done in development/TTP_TAGGING.md with the cohort-
split summary.

rules/ttp/R0054.yaml

@@ -0,0 +1,25 @@
+rule_id: R0054
+rule_version: 1
+name: abuseipdb_category
+description: |
+  AbuseIPDB category → ATT&CK technique mapping per Appendix A.10.
+  IntelLifter reads AttackerIntel.abuseipdb_categories and emits
+  one tag per matching category code.
+applies_to:
+  - intel
+match:
+  kind: lifter:intel_abuseipdb
+  provider: abuseipdb
+emits:
+  - tactic: TA0006
+    technique_id: T1110
+    confidence: 0.7
+  - tactic: TA0001
+    technique_id: T1190
+    confidence: 0.7
+  - tactic: TA0001
+    technique_id: T1566
+    confidence: 0.7
+evidence_fields:
+  - abuseipdb_categories
+  - abuse_confidence_score

rules/ttp/R0055.yaml

@@ -0,0 +1,23 @@
+rule_id: R0055
+rule_version: 1
+name: greynoise_classification
+description: |
+  GreyNoise classification + tag → ATT&CK technique per A.10.
+  IntelLifter reads AttackerIntel.greynoise_classification and
+  greynoise_tags.
+applies_to:
+  - intel
+match:
+  kind: lifter:intel_greynoise
+  provider: greynoise
+emits:
+  - tactic: TA0043
+    technique_id: T1595
+    sub_technique_id: T1595.002
+    confidence: 0.7
+  - tactic: TA0011
+    technique_id: T1071
+    confidence: 0.7
+evidence_fields:
+  - greynoise_classification
+  - greynoise_tags

rules/ttp/R0056.yaml

@@ -0,0 +1,23 @@
+rule_id: R0056
+rule_version: 1
+name: feodo_tracker_hit
+description: |
+  Source IP listed by abuse.ch Feodo Tracker — known C2 infra,
+  family attribution attached.
+applies_to:
+  - intel
+match:
+  kind: lifter:intel_feodo
+  provider: feodo
+emits:
+  - tactic: TA0011
+    technique_id: T1071
+    sub_technique_id: T1071.001
+    confidence: 0.85
+  - tactic: TA0042
+    technique_id: T1588
+    sub_technique_id: T1588.001
+    confidence: 0.85
+evidence_fields:
+  - malware_family
+  - first_seen_feodo

rules/ttp/R0057.yaml

@@ -0,0 +1,23 @@
+rule_id: R0057
+rule_version: 1
+name: threatfox_ioc
+description: |
+  abuse.ch ThreatFox IOC type → ATT&CK technique mapping with
+  family attribution.
+applies_to:
+  - intel
+match:
+  kind: lifter:intel_threatfox
+  provider: threatfox
+emits:
+  - tactic: TA0011
+    technique_id: T1071
+    confidence: 0.8
+  - tactic: TA0042
+    technique_id: T1588
+    sub_technique_id: T1588.001
+    confidence: 0.8
+evidence_fields:
+  - ioc_type
+  - malware_family
+  - threat_type

rules/ttp/R0058.yaml

@@ -0,0 +1,23 @@
+rule_id: R0058
+rule_version: 1
+name: aggregate_malicious_verdict_bump
+description: |
+  Aggregate intel verdict = "malicious" with no specific provider
+  mapping. Per Appendix B: confidence-bump existing tags only,
+  never emits a fresh tag. emits is intentionally a single
+  zero-confidence sentinel so the rule still validates and the
+  catalogue surfaces it; the IntelLifter inspects rule_id and
+  bumps existing tags' confidence rather than calling the engine
+  fanout.
+applies_to:
+  - intel
+match:
+  kind: lifter:intel_aggregate_bump
+  bump_amount: 0.05
+emits:
+  - tactic: TA0042
+    technique_id: T1588
+    confidence: 0.0
+evidence_fields:
+  - aggregate_verdict
+  - bumped_rule_ids