anti
f8dee596e5
The IntelLifter's _emit_filtered fans out only the rule.emits entries
whose technique_id appears in the predicate's decision set. v1's emits
lists were narrow supersets of the common case, silently dropping the
rest of the predicate's possible emissions:
R0054 dropped: T1046 (cat 14), T1078 (cat 20), T1090 (cats 9/13),
T1496 (cat 11), T1595 (cats 14/19)
R0055 dropped: T1090 (tor_exit_node), T1110 (ssh_bruteforcer),
T1588 (the second emit of every C2-framework tag)
R0057 dropped: T1105 (payload_delivery, download_url)
Bump rule_version 1->2 on R0054/R0055/R0057, expand emits to cover
every technique the predicate produces. R0056 (Feodo) and R0058
(aggregate bump) carry no enum and stay at v1.
All five YAMLs gain `last_reviewed: "2026-05-02"` and
`next_review: "2026-08-02"` markers; the rule YAML is now the
canonical record of when the mapping was last reconciled against
upstream, with DEBT.md as the calendar reminder.
32 lines
807 B
YAML
32 lines
807 B
YAML
rule_id: R0056
|
|
rule_version: 1
|
|
last_reviewed: "2026-05-02"
|
|
next_review: "2026-08-02"
|
|
name: feodo_tracker_hit
|
|
description: |
|
|
Source IP listed by abuse.ch Feodo Tracker — known C2 infra,
|
|
family attribution attached.
|
|
|
|
No drift in 2026-05-02 ship-time audit: Feodo's data shape is
|
|
feed-driven (one entry per listed IP), no enum to bump. Family
|
|
flows through evidence as a string and does not need a code-level
|
|
taxonomy. Reviewed and unchanged.
|
|
applies_to:
|
|
- intel
|
|
match:
|
|
kind: lifter:intel_feodo
|
|
provider: feodo
|
|
emits:
|
|
- tactic: TA0011
|
|
technique_id: T1071
|
|
sub_technique_id: T1071.001
|
|
confidence: 0.85
|
|
- tactic: TA0042
|
|
technique_id: T1588
|
|
sub_technique_id: T1588.001
|
|
confidence: 0.85
|
|
evidence_fields:
|
|
- feodo_listed
|
|
- feodo_malware_family
|
|
- first_seen_feodo
|