anti
321ea7a2a6
E.3.9.1 prerequisite. Rules R0031-R0040 now use lifter:behavioral_*,
R0041 (open_relay) uses lifter:email_open_relay; the rest of the email,
canary, and intel cohorts already conformed. Each lifter at E.3.9-E.3.12
will claim its rules via str.startswith('lifter:<owner>_'), keeping the
ownership routing explicit and trivially extensible.
R0001-R0006 / R0030 lifter:* rules are E.3.13 (Identity/Credential)
territory and stay as-is.
26 lines
605 B
YAML
26 lines
605 B
YAML
rule_id: R0036
|
|
rule_version: 1
|
|
name: credentials_in_files
|
|
description: |
|
|
Reading .env / .git/config / cloud credential files —
|
|
credential-from-file harvesting. Lifter-driven so the rule
|
|
composes the file-access signal with the path discriminator.
|
|
applies_to:
|
|
- session
|
|
- http_request
|
|
match:
|
|
kind: lifter:behavioral_credentials_in_files
|
|
paths:
|
|
- '\\.env'
|
|
- '\\.git/config'
|
|
- '\\.aws/credentials'
|
|
- '\\.ssh/id_rsa'
|
|
- 'wp-config\\.php'
|
|
emits:
|
|
- tactic: TA0006
|
|
technique_id: T1552
|
|
sub_technique_id: T1552.001
|
|
confidence: 0.9
|
|
evidence_fields:
|
|
- matched_path
|