anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9def7fd22f4fd71db4ca4187d6633c41bd3f53ec
DECNET/rules/ttp/R0057.yaml
anti f8dee596e5 fix(ttp): expand R0054/R0055/R0057 emits + LAST_REVIEWED markers 
The IntelLifter's _emit_filtered fans out only the rule.emits entries
whose technique_id appears in the predicate's decision set. v1's emits
lists were narrow supersets of the common case, silently dropping the
rest of the predicate's possible emissions:

  R0054 dropped: T1046 (cat 14), T1078 (cat 20), T1090 (cats 9/13),
                 T1496 (cat 11), T1595 (cats 14/19)
  R0055 dropped: T1090 (tor_exit_node), T1110 (ssh_bruteforcer),
                 T1588 (the second emit of every C2-framework tag)
  R0057 dropped: T1105 (payload_delivery, download_url)

Bump rule_version 1->2 on R0054/R0055/R0057, expand emits to cover
every technique the predicate produces. R0056 (Feodo) and R0058
(aggregate bump) carry no enum and stay at v1.

All five YAMLs gain `last_reviewed: "2026-05-02"` and
`next_review: "2026-08-02"` markers; the rule YAML is now the
canonical record of when the mapping was last reconciled against
upstream, with DEBT.md as the calendar reminder.
2026-05-02 18:09:03 -04:00

41 lines
1.1 KiB
YAML
Raw Blame History

rule_id: R0057
rule_version: 2
last_reviewed: "2026-05-02"
next_review: "2026-08-02"
name: threatfox_threat_type
description: |
abuse.ch ThreatFox ``threat_type`` → ATT&CK technique mapping with
family attribution.
v2 (2026-05-02 ship-time audit): keys on ``threat_type`` (the
canonical ThreatFox taxonomy) instead of ``ioc_type`` — v1 had it
backwards, ``ioc_type`` is the indicator format (url / domain /
hash) and carries no ATT&CK signal. Also expanded ``emits`` to
include T1105 (payload_delivery) and T1056 (cc_skimming) which v1
silently dropped, and the lifter now reads from the bus payload
fields ``threatfox_threat_types`` (list) populated by the intel
worker.
applies_to:
- intel
match:
kind: lifter:intel_threatfox
provider: threatfox
emits:
- tactic: TA0011
technique_id: T1071
confidence: 0.8
- tactic: TA0042
technique_id: T1588
sub_technique_id: T1588.001
confidence: 0.8
- tactic: TA0011
technique_id: T1105
confidence: 0.75
- tactic: TA0009
technique_id: T1056
confidence: 0.7
evidence_fields:
- threatfox_threat_types
- threatfox_ioc_types
- threatfox_malware_families
Reference in New Issue View Git Blame Copy Permalink