anti
dc1867315d
5 YAMLs for the canary-fingerprint cohort per Appendix B / A.9: navigator.webdriver flag, automation canvas/audio/WebGL hash match, WebRTC IP leak, TZ/lang vs geo mismatch, platform inconsistency. CanaryFingerprintLifter (E.3.11) consumes by rule_id. test_canary_rules.py: YAML-present + inert-in-v0 + xfail(strict) gated on E.3.11.
29 lines
635 B
YAML
29 lines
635 B
YAML
rule_id: R0050
|
|
rule_version: 1
|
|
name: automation_canvas_audio_hash
|
|
description: |
|
|
Canvas / audio / WebGL fingerprint hash matches a known automation
|
|
tooling cohort (Puppeteer / Playwright / Selenium / curl-impersonate).
|
|
applies_to:
|
|
- canary_fingerprint
|
|
match:
|
|
kind: lifter:canary_automation_hash
|
|
catalogues:
|
|
- puppeteer
|
|
- playwright
|
|
- selenium
|
|
- curl_impersonate
|
|
emits:
|
|
- tactic: TA0002
|
|
technique_id: T1059
|
|
confidence: 0.85
|
|
- tactic: TA0042
|
|
technique_id: T1588
|
|
sub_technique_id: T1588.002
|
|
confidence: 0.85
|
|
evidence_fields:
|
|
- canvas_hash
|
|
- audio_hash
|
|
- webgl_hash
|
|
- matched_tool
|