anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b3a96a045f29cd3bc8cf67a8d08e5477b7dca6ae
DECNET/rules/ttp/R0054.yaml
anti f8dee596e5 fix(ttp): expand R0054/R0055/R0057 emits + LAST_REVIEWED markers 
The IntelLifter's _emit_filtered fans out only the rule.emits entries
whose technique_id appears in the predicate's decision set. v1's emits
lists were narrow supersets of the common case, silently dropping the
rest of the predicate's possible emissions:

  R0054 dropped: T1046 (cat 14), T1078 (cat 20), T1090 (cats 9/13),
                 T1496 (cat 11), T1595 (cats 14/19)
  R0055 dropped: T1090 (tor_exit_node), T1110 (ssh_bruteforcer),
                 T1588 (the second emit of every C2-framework tag)
  R0057 dropped: T1105 (payload_delivery, download_url)

Bump rule_version 1->2 on R0054/R0055/R0057, expand emits to cover
every technique the predicate produces. R0056 (Feodo) and R0058
(aggregate bump) carry no enum and stay at v1.

All five YAMLs gain `last_reviewed: "2026-05-02"` and
`next_review: "2026-08-02"` markers; the rule YAML is now the
canonical record of when the mapping was last reconciled against
upstream, with DEBT.md as the calendar reminder.
2026-05-02 18:09:03 -04:00

50 lines
1.4 KiB
YAML
Raw Blame History

rule_id: R0054
rule_version: 2
last_reviewed: "2026-05-02"
next_review: "2026-08-02"
name: abuseipdb_category
description: |
AbuseIPDB category → ATT&CK technique mapping per Appendix A.10.
IntelLifter reads AttackerIntel.abuseipdb_categories and emits one
tag per technique the predicate selects from the matched categories.
v2 (2026-05-02 ship-time audit): expanded ``emits`` to cover every
technique the predicate can produce — v1 silently dropped T1046
(cat 14), T1078 (cat 20), T1090 (cats 9/13), T1496 (cat 11),
T1498 (cat 4 — still unmapped intentionally), T1595 (cats 14/19).
Also corrects the cat 10/17 → 4/13 wire-vs-design typo and adds
cat 7 (Phishing) → T1566 and cat 16 (SQL Injection) → T1190.
applies_to:
- intel
match:
kind: lifter:intel_abuseipdb
provider: abuseipdb
emits:
- tactic: TA0006
technique_id: T1110
confidence: 0.7
- tactic: TA0001
technique_id: T1190
confidence: 0.7
- tactic: TA0001
technique_id: T1566
confidence: 0.7
- tactic: TA0007
technique_id: T1046
confidence: 0.7
- tactic: TA0001
technique_id: T1078
confidence: 0.6
- tactic: TA0011
technique_id: T1090
confidence: 0.6
- tactic: TA0040
technique_id: T1496
confidence: 0.6
- tactic: TA0043
technique_id: T1595
confidence: 0.7
evidence_fields:
- abuseipdb_categories
- abuseipdb_score
Reference in New Issue View Git Blame Copy Permalink