anti 9056e33962 feat(ttp): Ipv6LeakLifter + R0059 rule for IPv6 link-local opsec failures ...

Ipv6LeakLifter subscribes to source_kind="ipv6_leak" events from both
the passive sniffer and active prober. Emits T1090 (Proxy) under TA0011
(C2) when fe80:: source address is observed — the attacker's VPN only
tunnels IPv4 so their link-local IID leaks their NIC identity.

Rule R0059 sets base confidence 0.85; iid_kind in the evidence carries
the per-observation strength (eui64 = MAC-derived, deterministic;
stable_privacy = RFC 7217; temporary = RFC 4941).

2026-05-17 20:22:26 -04:00

746 B

Raw Permalink Blame History

View Raw