Skip to content

feat(corpus): add Command & Control + Impact pairs (TA0011, TA0040)#46

Merged
Gerrrt merged 2 commits into
mainfrom
claude/corpus-p1-c2-impact
Jul 10, 2026
Merged

feat(corpus): add Command & Control + Impact pairs (TA0011, TA0040)#46
Gerrrt merged 2 commits into
mainfrom
claude/corpus-p1-c2-impact

Conversation

@Gerrrt

@Gerrrt Gerrrt commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

What

Fills the two ATT&CK tactics that had zero corpus coverage — Command & Control (TA0011) and Impact (TA0040) — with 14 new red↔blue pairs (+28 entries). Before this, the corpus (72 red / 71 blue) covered TA0001TA0010 but nothing on the C2 or Impact ends of the kill chain.

Command & Control — TA0011 (8 pairs)

Attack (red) Detection (blue) Technique
HTTPS beacon, long sleep + jitter (Sliver/Cobalt/Havoc) inter-arrival regularity over proxy logs T1071.001
DNS-tunnel C2 (iodine/dnscat2) Sysmon-22 query volume + label length T1071.004
Domain-fronted C2 (CDN edge) TLS SNI vs HTTP Host mismatch T1090.004
Mutual-TLS implant (Sliver mTLS) JA3/JA3S fingerprint match T1573.002
ICMP-tunnel C2 echo volume + payload size T1095
Web-service C2 (Telegram/Slack/Gist) Sysmon-3 non-browser → SaaS API T1102.002
DGA rendezvous domains NXDOMAIN burst + label entropy T1568.002
Reverse tunnel (chisel/ligolo-ng) long-lived outbound session + JA3 T1572

Impact — TA0040 (6 pairs)

Attack (red) Detection (blue) Technique
Inhibit recovery (vssadmin/wbadmin/bcdedit) 4688 delete-shadows command shapes T1490
Mass file encryption 4663 write-burst + note drop T1486
Pre-encryption service kills 7036/4688 service-stop burst T1489
Cloud data destruction (snapshot/bucket delete) CloudTrail delete burst T1485
Cryptojacking (xmrig/Stratum) Stratum pool connections + CPU peg T1496
Account access removal (lock out defenders) 4724/4725/4726 on admin accounts T1531

Each attack is deliberately paired with the detection that survives its evasion (the jitter-resistant statistic, the SNI/Host invariant, the fingerprint that doesn't change with sleep) rather than a naive IOC.

Verification

Passes every ci.yml gate locally:

  • pairing graph — every new entry's pair: is bidirectional (exit 0).
  • slot vocabulary — only registered slots used ({{lhost}}, {{port}}); comm -23 clean.
  • drift gategen-views.sh --check green (corpus-only, no flat-view markers).
  • Every new attack.tactic is TA0011/TA0040; every technique ID is valid and non-deprecated.

Corpus counts rise 72→86 red, 71→85 blue. CHANGELOG.md [Unreleased] updated.

🤖 Generated with Claude Code


Generated by Claude Code

Fill the two ATT&CK tactics with zero corpus coverage: 14 new red↔blue
pairs (+28 entries).

Command & Control (TA0011, 8 pairs): HTTPS beacon sleep+jitter, DNS
tunneling, domain fronting, mutual-TLS/JA3, ICMP tunneling, web-service
C2, DGA rendezvous domains, reverse tunnels. Each attack is paired with
the detection that survives its evasion.

Impact (TA0040, 6 pairs): recovery inhibition, mass file encryption,
pre-encryption service kills, cloud data destruction, cryptojacking,
account access removal.

Corpus-only (no flat-view markers); passes the pairing, slot-vocabulary,
and drift gates. Only registered slots used ({{lhost}}, {{port}}).

Co-Authored-By: Claude Opus 4.8 <[email protected]>
Claude-Session: https://claude.ai/code/session_012CpbBxJLgsg3T3ropqYGJA
Copilot AI review requested due to automatic review settings July 10, 2026 05:36

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds new red↔blue corpus coverage for the two previously-unrepresented ATT&CK tactics—Command & Control (TA0011) and Impact (TA0040)—by introducing 14 paired entries and documenting the change in the changelog.

Changes:

  • Add 8 new TA0011 Command & Control red↔blue pairs (beaconing, tunneling, fronting, web-service C2, DGA, etc.).
  • Add 6 new TA0040 Impact red↔blue pairs (recovery inhibition, service stops, mass encryption, cloud destruction, cryptomining, account removal).
  • Update CHANGELOG.md [Unreleased] to reflect the new corpus coverage.

Reviewed changes

Copilot reviewed 29 out of 29 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
entries/red/web-service-c2-telegram.md New red entry describing C2 over Telegram/Slack/Gist APIs.
entries/red/service-stop-preransom.md New red entry describing pre-ransomware service termination.
entries/red/reverse-tunnel-chisel.md New red entry describing reverse tunnels (chisel/ligolo-ng).
entries/red/resource-hijack-xmrig.md New red entry describing cryptomining resource hijack (xmrig).
entries/red/ransomware-encrypt-files.md New red entry describing mass file encryption impact behavior.
entries/red/mtls-c2-sliver.md New red entry describing mutual-TLS C2 (Sliver mTLS).
entries/red/inhibit-recovery-vssadmin.md New red entry describing shadow copy/backup deletion to inhibit recovery.
entries/red/icmp-tunnel-c2.md New red entry describing ICMP echo-payload tunneling for C2.
entries/red/https-beacon-sliver.md New red entry describing HTTPS beaconing with long sleep and jitter.
entries/red/domain-fronting-cdn.md New red entry describing domain-fronted C2 via CDN.
entries/red/dns-tunnel-c2.md New red entry describing DNS tunneling C2.
entries/red/dga-c2-domains.md New red entry describing DGA rendezvous domains for resilient C2.
entries/red/cloud-snapshot-destroy.md New red entry describing cloud snapshot/object/table deletion for impact.
entries/red/account-lockout-defenders.md New red entry describing defender/admin account lockout/removal.
entries/blue/web-service-c2-beacon.md New blue entry detecting non-browser processes calling SaaS APIs (Sysmon 3).
entries/blue/service-stop-7036.md New blue entry detecting bursts of service stops (SCM 7036) prior to encryption.
entries/blue/reverse-tunnel-detect.md New blue entry detecting long-lived high-volume outbound tunnel sessions (Zeek).
entries/blue/mtls-c2-ja3.md New blue entry detecting encrypted C2 via JA3/JA3S TLS fingerprints (Zeek).
entries/blue/mass-encrypt-4663.md New blue entry detecting write storms consistent with mass encryption (4663).
entries/blue/inhibit-recovery-4688.md New blue entry detecting recovery-inhibition command-line shapes (4688).
entries/blue/icmp-c2-volume.md New blue entry detecting ICMP tunneling via volumetrics (Zeek/NetFlow).
entries/blue/https-beacon-jitter.md New blue entry detecting beaconing via inter-arrival regularity in proxy logs.
entries/blue/domain-fronting-sni-mismatch.md New blue entry detecting SNI vs Host mismatches indicative of domain fronting.
entries/blue/dns-tunnel-sysmon-22.md New blue entry detecting DNS tunneling via Sysmon 22 query shape/volume.
entries/blue/dga-nxdomain-entropy.md New blue entry detecting DGAs via NXDOMAIN bursts and label entropy heuristics.
entries/blue/cryptomine-pool-detect.md New blue entry detecting Stratum pool connections + CPU pegging (Zeek/EDR).
entries/blue/cloud-destroy-cloudtrail.md New blue entry detecting destructive CloudTrail verb bursts across services.
entries/blue/account-removal-4725.md New blue entry detecting admin account removal/reset/disable/delete bursts.
CHANGELOG.md Documents the added TA0011/TA0040 corpus coverage under [Unreleased].

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread entries/blue/web-service-c2-beacon.md Outdated
Comment thread entries/blue/reverse-tunnel-detect.md Outdated
Comment thread entries/blue/cryptomine-pool-detect.md Outdated
Comment thread entries/blue/dns-tunnel-sysmon-22.md
Comment thread entries/blue/dga-nxdomain-entropy.md Outdated
Comment thread entries/blue/mass-encrypt-4663.md Outdated
Comment thread entries/blue/account-removal-4725.md Outdated
Comment thread entries/blue/service-stop-7036.md Outdated
Address 8 detection-accuracy findings on the C2 + Impact blue entries:

- web-service-c2-beacon: IN(...) is exact-match in Splunk; use wildcard
  `=` comparisons so `*.slack.com` actually matches subdomains.
- cryptomine-pool-detect: drop the non-existent conn.log `resp_domain`
  field; keep the base query port-based, enrich via dns.log/ssl.log.
- reverse-tunnel-detect: RFC1918 exclusion needs cidrmatch(), not
  `NOT id.resp_h IN (CIDR,...)`.
- dns-tunnel-sysmon-22: group by extracted parent_domain to match the
  prose (was Image,host only).
- dga-nxdomain-entropy: replace the undefined `dns_entropy` macro with a
  self-contained length + vowel-ratio heuristic.
- mass-encrypt-4663: extract the directory path before dc() so `dirs`
  counts folders, not drive letters.
- account-removal-4725: event_ids now include 4729/4733 to match the
  group-removal content.
- service-stop-7036: tighten metadata to 7036-only (the provided query),
  4688 kept as explicit out-of-band corroboration.

Co-Authored-By: Claude Opus 4.8 <[email protected]>
Claude-Session: https://claude.ai/code/session_012CpbBxJLgsg3T3ropqYGJA
@Gerrrt Gerrrt merged commit ec15e6b into main Jul 10, 2026
1 check passed
@Gerrrt Gerrrt mentioned this pull request Jul 10, 2026
@Gerrrt Gerrrt deleted the claude/corpus-p1-c2-impact branch July 10, 2026 23:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants