From f8dee596e50234a870eb02725047418617b1603b Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Sat, 2 May 2026 18:09:03 -0400
Subject: [PATCH] fix(ttp): expand R0054/R0055/R0057 emits + LAST_REVIEWED
 markers

The IntelLifter's _emit_filtered fans out only the rule.emits entries
whose technique_id appears in the predicate's decision set. v1's emits
lists were narrow supersets of the common case, silently dropping the
rest of the predicate's possible emissions:

  R0054 dropped: T1046 (cat 14), T1078 (cat 20), T1090 (cats 9/13),
                 T1496 (cat 11), T1595 (cats 14/19)
  R0055 dropped: T1090 (tor_exit_node), T1110 (ssh_bruteforcer),
                 T1588 (the second emit of every C2-framework tag)
  R0057 dropped: T1105 (payload_delivery, download_url)

Bump rule_version 1->2 on R0054/R0055/R0057, expand emits to cover
every technique the predicate produces. R0056 (Feodo) and R0058
(aggregate bump) carry no enum and stay at v1.

All five YAMLs gain `last_reviewed: "2026-05-02"` and
`next_review: "2026-08-02"` markers; the rule YAML is now the
canonical record of when the mapping was last reconciled against
upstream, with DEBT.md as the calendar reminder.
---
 rules/ttp/R0054.yaml | 32 ++++++++++++++++++++++++++++----
 rules/ttp/R0055.yaml | 24 ++++++++++++++++++++++--
 rules/ttp/R0056.yaml | 10 +++++++++-
 rules/ttp/R0057.yaml | 29 +++++++++++++++++++++++------
 rules/ttp/R0058.yaml |  2 ++
 5 files changed, 84 insertions(+), 13 deletions(-)

diff --git a/rules/ttp/R0054.yaml b/rules/ttp/R0054.yaml
index abf26413..6952eb6b 100644
--- a/rules/ttp/R0054.yaml
+++ b/rules/ttp/R0054.yaml
@@ -1,10 +1,19 @@
 rule_id: R0054
-rule_version: 1
+rule_version: 2
+last_reviewed: "2026-05-02"
+next_review: "2026-08-02"
 name: abuseipdb_category
 description: |
   AbuseIPDB category → ATT&CK technique mapping per Appendix A.10.
-  IntelLifter reads AttackerIntel.abuseipdb_categories and emits
-  one tag per matching category code.
+  IntelLifter reads AttackerIntel.abuseipdb_categories and emits one
+  tag per technique the predicate selects from the matched categories.
+
+  v2 (2026-05-02 ship-time audit): expanded ``emits`` to cover every
+  technique the predicate can produce — v1 silently dropped T1046
+  (cat 14), T1078 (cat 20), T1090 (cats 9/13), T1496 (cat 11),
+  T1498 (cat 4 — still unmapped intentionally), T1595 (cats 14/19).
+  Also corrects the cat 10/17 → 4/13 wire-vs-design typo and adds
+  cat 7 (Phishing) → T1566 and cat 16 (SQL Injection) → T1190.
 applies_to:
   - intel
 match:
@@ -20,6 +29,21 @@ emits:
   - tactic: TA0001
     technique_id: T1566
     confidence: 0.7
+  - tactic: TA0007
+    technique_id: T1046
+    confidence: 0.7
+  - tactic: TA0001
+    technique_id: T1078
+    confidence: 0.6
+  - tactic: TA0011
+    technique_id: T1090
+    confidence: 0.6
+  - tactic: TA0040
+    technique_id: T1496
+    confidence: 0.6
+  - tactic: TA0043
+    technique_id: T1595
+    confidence: 0.7
 evidence_fields:
   - abuseipdb_categories
-  - abuse_confidence_score
+  - abuseipdb_score
diff --git a/rules/ttp/R0055.yaml b/rules/ttp/R0055.yaml
index 83feacf1..a200eeba 100644
--- a/rules/ttp/R0055.yaml
+++ b/rules/ttp/R0055.yaml
@@ -1,10 +1,20 @@
 rule_id: R0055
-rule_version: 1
+rule_version: 2
+last_reviewed: "2026-05-02"
+next_review: "2026-08-02"
 name: greynoise_classification
 description: |
   GreyNoise classification + tag → ATT&CK technique per A.10.
   IntelLifter reads AttackerIntel.greynoise_classification and
-  greynoise_tags.
+  greynoise_tags. Note: the Community endpoint does not return tags;
+  the tag-driven emits become live only when an operator wires a
+  non-Community provider plan that does.
+
+  v2 (2026-05-02 ship-time audit): expanded ``emits`` to cover
+  T1090 (tor_exit_node), T1110 (ssh_bruteforcer), T1588 (C2-framework
+  tags' second emit) — v1 silently dropped all three. Bare
+  ``classification == "malicious"`` now lights T1071 at half
+  multiplier when no recognised tag fires.
 applies_to:
   - intel
 match:
@@ -18,6 +28,16 @@ emits:
   - tactic: TA0011
     technique_id: T1071
     confidence: 0.7
+  - tactic: TA0011
+    technique_id: T1090
+    confidence: 0.7
+  - tactic: TA0006
+    technique_id: T1110
+    confidence: 0.7
+  - tactic: TA0042
+    technique_id: T1588
+    confidence: 0.7
 evidence_fields:
   - greynoise_classification
   - greynoise_tags
+  - greynoise_name
diff --git a/rules/ttp/R0056.yaml b/rules/ttp/R0056.yaml
index 09f5b057..27e1aeea 100644
--- a/rules/ttp/R0056.yaml
+++ b/rules/ttp/R0056.yaml
@@ -1,9 +1,16 @@
 rule_id: R0056
 rule_version: 1
+last_reviewed: "2026-05-02"
+next_review: "2026-08-02"
 name: feodo_tracker_hit
 description: |
   Source IP listed by abuse.ch Feodo Tracker — known C2 infra,
   family attribution attached.
+
+  No drift in 2026-05-02 ship-time audit: Feodo's data shape is
+  feed-driven (one entry per listed IP), no enum to bump. Family
+  flows through evidence as a string and does not need a code-level
+  taxonomy. Reviewed and unchanged.
 applies_to:
   - intel
 match:
@@ -19,5 +26,6 @@ emits:
     sub_technique_id: T1588.001
     confidence: 0.85
 evidence_fields:
-  - malware_family
+  - feodo_listed
+  - feodo_malware_family
   - first_seen_feodo
diff --git a/rules/ttp/R0057.yaml b/rules/ttp/R0057.yaml
index d9fd2cef..94a8bc81 100644
--- a/rules/ttp/R0057.yaml
+++ b/rules/ttp/R0057.yaml
@@ -1,9 +1,20 @@
 rule_id: R0057
-rule_version: 1
-name: threatfox_ioc
+rule_version: 2
+last_reviewed: "2026-05-02"
+next_review: "2026-08-02"
+name: threatfox_threat_type
 description: |
-  abuse.ch ThreatFox IOC type → ATT&CK technique mapping with
+  abuse.ch ThreatFox ``threat_type`` → ATT&CK technique mapping with
   family attribution.
+
+  v2 (2026-05-02 ship-time audit): keys on ``threat_type`` (the
+  canonical ThreatFox taxonomy) instead of ``ioc_type`` — v1 had it
+  backwards, ``ioc_type`` is the indicator format (url / domain /
+  hash) and carries no ATT&CK signal. Also expanded ``emits`` to
+  include T1105 (payload_delivery) and T1056 (cc_skimming) which v1
+  silently dropped, and the lifter now reads from the bus payload
+  fields ``threatfox_threat_types`` (list) populated by the intel
+  worker.
 applies_to:
   - intel
 match:
@@ -17,7 +28,13 @@ emits:
     technique_id: T1588
     sub_technique_id: T1588.001
     confidence: 0.8
+  - tactic: TA0011
+    technique_id: T1105
+    confidence: 0.75
+  - tactic: TA0009
+    technique_id: T1056
+    confidence: 0.7
 evidence_fields:
-  - ioc_type
-  - malware_family
-  - threat_type
+  - threatfox_threat_types
+  - threatfox_ioc_types
+  - threatfox_malware_families
diff --git a/rules/ttp/R0058.yaml b/rules/ttp/R0058.yaml
index b73fa121..39c94250 100644
--- a/rules/ttp/R0058.yaml
+++ b/rules/ttp/R0058.yaml
@@ -1,5 +1,7 @@
 rule_id: R0058
 rule_version: 1
+last_reviewed: "2026-05-02"
+next_review: "2026-08-02"
 name: aggregate_malicious_verdict_bump
 description: |
   Aggregate intel verdict = "malicious" with no specific provider