feat(ttp): E.3.8 R0049-R0053 canary fingerprint cohort
5 YAMLs for the canary-fingerprint cohort per Appendix B / A.9: navigator.webdriver flag, automation canvas/audio/WebGL hash match, WebRTC IP leak, TZ/lang vs geo mismatch, platform inconsistency. CanaryFingerprintLifter (E.3.11) consumes by rule_id. test_canary_rules.py: YAML-present + inert-in-v0 + xfail(strict) gated on E.3.11.
This commit is contained in:
19
rules/ttp/R0053.yaml
Normal file
19
rules/ttp/R0053.yaml
Normal file
@@ -0,0 +1,19 @@
|
||||
rule_id: R0053
|
||||
rule_version: 1
|
||||
name: platform_inconsistency
|
||||
description: |
|
||||
navigator.platform / userAgent / WebGL renderer disagree —
|
||||
classic hand-built crawler with mismatched stealth shimming.
|
||||
applies_to:
|
||||
- canary_fingerprint
|
||||
match:
|
||||
kind: lifter:canary_platform_inconsistency
|
||||
emits:
|
||||
- tactic: TA0005
|
||||
technique_id: T1036
|
||||
confidence: 0.8
|
||||
evidence_fields:
|
||||
- navigator_platform
|
||||
- user_agent
|
||||
- webgl_renderer
|
||||
- mismatch_pairs
|
||||
Reference in New Issue
Block a user