anti
b1fe1f9403
30 YAMLs for the shell/command rule cohort per Appendix B (rules/ttp/). Splits into engine-active (R0007-R0029, regex on command_text / raw_url / user_agent) and lifter-bound (R0001-R0006, R0030 — the v0 RuleEngine cannot count auth attempts, do identity rollups, or parse fingerprint blobs; the BehavioralLifter / IdentityLifter / CredentialLifter consume them by rule_id at E.3.9 / E.3.13). test_command_rules.py asserts: - every R000N has a YAML that compiles - lifter-bound rules NEVER fire from the v0 engine (regression guard against a YAML drifting into a regex match.spec) - engine-active rules meet their Appendix-C precision target against the seed corpus (≥0.95 high-conf, ≥0.80 medium) Conftest fixes: precision_engine moved to module-scope so module- scope precomputed dispatch fixture (fired_by_label) can request it; _RULES_DIR path bumped from parents[2] to parents[3] so the loader resolves the project root regardless of pytest cwd; make_event synthesizes attacker_uuid so TTPTag's anchor invariant is satisfied. Seed corpus broadened: positive examples for every regex rule plus 6 negative examples across innocuous shell verbs (ls, echo, cd, ps, df, free) so FPs surface in precision rather than passing vacuously.
20 lines
646 B
YAML
20 lines
646 B
YAML
rule_id: R0027
|
|
rule_version: 1
|
|
name: webshell_install
|
|
description: |
|
|
Drop a PHP/JSP/ASPX webshell into a webroot via shell redirect
|
|
or wget/curl-to-file. Conservative — we want the shell pattern
|
|
AND a webroot path, not just any echo > x.php.
|
|
applies_to:
|
|
- command
|
|
match:
|
|
field: command_text
|
|
pattern: '(?:echo|printf|cat\s*<<\w+|wget\s+-O|curl\s+-o)\s+[^\n;|]*(?:<\?php|<%@|system\(|eval\(|exec\()[^\n;|]*>\s*[^\n;|]*\.(?:php|jsp|aspx|jspx|phtml)\b|>\s*/var/www/[^\s;|]+\.(?:php|jsp|aspx|jspx)\b'
|
|
emits:
|
|
- tactic: TA0003
|
|
technique_id: T1505
|
|
sub_technique_id: T1505.003
|
|
confidence: 0.9
|
|
evidence_fields:
|
|
- command_text
|