DECNET/rules/ttp/R0056.yaml

rule_id: R0056
rule_version: 1
name: feodo_tracker_hit
description: |
  Source IP listed by abuse.ch Feodo Tracker — known C2 infra,
  family attribution attached.
applies_to:
  - intel
match:
  kind: lifter:intel_feodo
  provider: feodo
emits:
  - tactic: TA0011
    technique_id: T1071
    sub_technique_id: T1071.001
    confidence: 0.85
  - tactic: TA0042
    technique_id: T1588
    sub_technique_id: T1588.001
    confidence: 0.85
evidence_fields:
  - malware_family
  - first_seen_feodo