feat(corpus): add Command & Control + Impact pairs (TA0011, TA0040)#46
Merged
Conversation
Fill the two ATT&CK tactics with zero corpus coverage: 14 new red↔blue
pairs (+28 entries).
Command & Control (TA0011, 8 pairs): HTTPS beacon sleep+jitter, DNS
tunneling, domain fronting, mutual-TLS/JA3, ICMP tunneling, web-service
C2, DGA rendezvous domains, reverse tunnels. Each attack is paired with
the detection that survives its evasion.
Impact (TA0040, 6 pairs): recovery inhibition, mass file encryption,
pre-encryption service kills, cloud data destruction, cryptojacking,
account access removal.
Corpus-only (no flat-view markers); passes the pairing, slot-vocabulary,
and drift gates. Only registered slots used ({{lhost}}, {{port}}).
Co-Authored-By: Claude Opus 4.8 <[email protected]>
Claude-Session: https://claude.ai/code/session_012CpbBxJLgsg3T3ropqYGJA
Contributor
There was a problem hiding this comment.
Pull request overview
Adds new red↔blue corpus coverage for the two previously-unrepresented ATT&CK tactics—Command & Control (TA0011) and Impact (TA0040)—by introducing 14 paired entries and documenting the change in the changelog.
Changes:
- Add 8 new TA0011 Command & Control red↔blue pairs (beaconing, tunneling, fronting, web-service C2, DGA, etc.).
- Add 6 new TA0040 Impact red↔blue pairs (recovery inhibition, service stops, mass encryption, cloud destruction, cryptomining, account removal).
- Update
CHANGELOG.md[Unreleased]to reflect the new corpus coverage.
Reviewed changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| entries/red/web-service-c2-telegram.md | New red entry describing C2 over Telegram/Slack/Gist APIs. |
| entries/red/service-stop-preransom.md | New red entry describing pre-ransomware service termination. |
| entries/red/reverse-tunnel-chisel.md | New red entry describing reverse tunnels (chisel/ligolo-ng). |
| entries/red/resource-hijack-xmrig.md | New red entry describing cryptomining resource hijack (xmrig). |
| entries/red/ransomware-encrypt-files.md | New red entry describing mass file encryption impact behavior. |
| entries/red/mtls-c2-sliver.md | New red entry describing mutual-TLS C2 (Sliver mTLS). |
| entries/red/inhibit-recovery-vssadmin.md | New red entry describing shadow copy/backup deletion to inhibit recovery. |
| entries/red/icmp-tunnel-c2.md | New red entry describing ICMP echo-payload tunneling for C2. |
| entries/red/https-beacon-sliver.md | New red entry describing HTTPS beaconing with long sleep and jitter. |
| entries/red/domain-fronting-cdn.md | New red entry describing domain-fronted C2 via CDN. |
| entries/red/dns-tunnel-c2.md | New red entry describing DNS tunneling C2. |
| entries/red/dga-c2-domains.md | New red entry describing DGA rendezvous domains for resilient C2. |
| entries/red/cloud-snapshot-destroy.md | New red entry describing cloud snapshot/object/table deletion for impact. |
| entries/red/account-lockout-defenders.md | New red entry describing defender/admin account lockout/removal. |
| entries/blue/web-service-c2-beacon.md | New blue entry detecting non-browser processes calling SaaS APIs (Sysmon 3). |
| entries/blue/service-stop-7036.md | New blue entry detecting bursts of service stops (SCM 7036) prior to encryption. |
| entries/blue/reverse-tunnel-detect.md | New blue entry detecting long-lived high-volume outbound tunnel sessions (Zeek). |
| entries/blue/mtls-c2-ja3.md | New blue entry detecting encrypted C2 via JA3/JA3S TLS fingerprints (Zeek). |
| entries/blue/mass-encrypt-4663.md | New blue entry detecting write storms consistent with mass encryption (4663). |
| entries/blue/inhibit-recovery-4688.md | New blue entry detecting recovery-inhibition command-line shapes (4688). |
| entries/blue/icmp-c2-volume.md | New blue entry detecting ICMP tunneling via volumetrics (Zeek/NetFlow). |
| entries/blue/https-beacon-jitter.md | New blue entry detecting beaconing via inter-arrival regularity in proxy logs. |
| entries/blue/domain-fronting-sni-mismatch.md | New blue entry detecting SNI vs Host mismatches indicative of domain fronting. |
| entries/blue/dns-tunnel-sysmon-22.md | New blue entry detecting DNS tunneling via Sysmon 22 query shape/volume. |
| entries/blue/dga-nxdomain-entropy.md | New blue entry detecting DGAs via NXDOMAIN bursts and label entropy heuristics. |
| entries/blue/cryptomine-pool-detect.md | New blue entry detecting Stratum pool connections + CPU pegging (Zeek/EDR). |
| entries/blue/cloud-destroy-cloudtrail.md | New blue entry detecting destructive CloudTrail verb bursts across services. |
| entries/blue/account-removal-4725.md | New blue entry detecting admin account removal/reset/disable/delete bursts. |
| CHANGELOG.md | Documents the added TA0011/TA0040 corpus coverage under [Unreleased]. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Address 8 detection-accuracy findings on the C2 + Impact blue entries: - web-service-c2-beacon: IN(...) is exact-match in Splunk; use wildcard `=` comparisons so `*.slack.com` actually matches subdomains. - cryptomine-pool-detect: drop the non-existent conn.log `resp_domain` field; keep the base query port-based, enrich via dns.log/ssl.log. - reverse-tunnel-detect: RFC1918 exclusion needs cidrmatch(), not `NOT id.resp_h IN (CIDR,...)`. - dns-tunnel-sysmon-22: group by extracted parent_domain to match the prose (was Image,host only). - dga-nxdomain-entropy: replace the undefined `dns_entropy` macro with a self-contained length + vowel-ratio heuristic. - mass-encrypt-4663: extract the directory path before dc() so `dirs` counts folders, not drive letters. - account-removal-4725: event_ids now include 4729/4733 to match the group-removal content. - service-stop-7036: tighten metadata to 7036-only (the provided query), 4688 kept as explicit out-of-band corroboration. Co-Authored-By: Claude Opus 4.8 <[email protected]> Claude-Session: https://claude.ai/code/session_012CpbBxJLgsg3T3ropqYGJA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fills the two ATT&CK tactics that had zero corpus coverage — Command & Control (
TA0011) and Impact (TA0040) — with 14 new red↔blue pairs (+28 entries). Before this, the corpus (72 red / 71 blue) coveredTA0001–TA0010but nothing on the C2 or Impact ends of the kill chain.Command & Control —
TA0011(8 pairs)Impact —
TA0040(6 pairs)Each attack is deliberately paired with the detection that survives its evasion (the jitter-resistant statistic, the SNI/Host invariant, the fingerprint that doesn't change with sleep) rather than a naive IOC.
Verification
Passes every
ci.ymlgate locally:pair:is bidirectional (exit 0).{{lhost}},{{port}});comm -23clean.gen-views.sh --checkgreen (corpus-only, no flat-view markers).attack.tacticisTA0011/TA0040; every technique ID is valid and non-deprecated.Corpus counts rise 72→86 red, 71→85 blue.
CHANGELOG.md[Unreleased]updated.🤖 Generated with Claude Code
Generated by Claude Code