anti
806301e179
10 YAMLs for the behavioral / cross-event cohort per Appendix B: beaconing, data destruction, ransom note, web exfil, DB mass-read, credentials-in-files, k8s SA token harvest, Docker host escape, LLMNR poisoning, TFTP router-config retrieval. Every rule is lifter-bound (BehavioralLifter / IdentityLifter) — the v0 RuleEngine cannot count, aggregate, or compose cross-event signals, so these YAMLs declare the technique mappings the lifter will consume by rule_id at E.3.9. Their match specs use a 'kind: lifter:*' shape inert to the regex matcher. test_behavioral_rules.py asserts each YAML compiles, none fire from the v0 engine (FP regression guard against a YAML drifting into a regex), and an xfail(strict=True, reason='impl phase E.3.9') precision case that will flip green when the lifter lands.
25 lines
580 B
YAML
25 lines
580 B
YAML
rule_id: R0032
|
|
rule_version: 1
|
|
name: data_destruction
|
|
description: |
|
|
Mass destructive ops: Redis FLUSHALL, SQL DROP DATABASE, MongoDB
|
|
dropDatabase(), bulk DELETE without WHERE. Cross-event because we
|
|
want to confirm the verb landed on real data, not just a parse.
|
|
applies_to:
|
|
- session
|
|
match:
|
|
kind: lifter:data_destruction
|
|
patterns:
|
|
- 'FLUSHALL'
|
|
- 'DROP\\s+DATABASE'
|
|
- 'TRUNCATE\\s+TABLE'
|
|
- 'dropDatabase\\(\\)'
|
|
- 'DELETE\\s+/\\_all'
|
|
emits:
|
|
- tactic: TA0040
|
|
technique_id: T1485
|
|
confidence: 0.95
|
|
evidence_fields:
|
|
- matched_op
|
|
- target
|