anti
eff3e4bce7
Reads pre-shaped session aggregates from TaggerEvent.payload and emits techniques per Appendix A behavior tables. Per-rule predicates dispatch on match.kind (lifter:behavioral_<name>); the lifter holds its own RuleIndex watching the same RuleStore as the engine, so disable / clip / TTL state reaches lifter-bound rules through the same atomic-swap path. R0032/R0036/R0037/R0040 YAMLs had over-escaped regex strings (\\ instead of \\) — fixed in place. Factory wired so default get_tagger() returns CompositeTagger with BehavioralLifter shipped; remaining three lifters (E.3.10-E.3.12) land in subsequent commits. E.2.6 contract preserved via TolerantTagger: empty payload steady-state yields [] with zero ERROR records. Disabled / clipped / expired state verified.
26 lines
600 B
YAML
26 lines
600 B
YAML
rule_id: R0036
|
|
rule_version: 1
|
|
name: credentials_in_files
|
|
description: |
|
|
Reading .env / .git/config / cloud credential files —
|
|
credential-from-file harvesting. Lifter-driven so the rule
|
|
composes the file-access signal with the path discriminator.
|
|
applies_to:
|
|
- session
|
|
- http_request
|
|
match:
|
|
kind: lifter:behavioral_credentials_in_files
|
|
paths:
|
|
- '\.env'
|
|
- '\.git/config'
|
|
- '\.aws/credentials'
|
|
- '\.ssh/id_rsa'
|
|
- 'wp-config\.php'
|
|
emits:
|
|
- tactic: TA0006
|
|
technique_id: T1552
|
|
sub_technique_id: T1552.001
|
|
confidence: 0.9
|
|
evidence_fields:
|
|
- matched_path
|