Skip to content

feat: backlog detection rules, atomics, and pack wiring#23

Merged
Karib0u merged 4 commits into
mainfrom
feat/backlog-detection-rules
Jul 9, 2026
Merged

feat: backlog detection rules, atomics, and pack wiring#23
Karib0u merged 4 commits into
mainfrom
feat/backlog-detection-rules

Conversation

@Karib0u

@Karib0u Karib0u commented Jul 9, 2026

Copy link
Copy Markdown
Owner

What's in it

37 new detection artifacts (81 total, up from 44):

Windows Linux macOS
Sigma 15 (W1–W15) 11 (L1–L11) 5 (M1–M5)
YARA 4 (XMRig, msfvenom, Sliver, Cobalt Strike) 2 (msfvenom, Sliver)

New telemetry channels get their first rules: wmi_event, image_load, network_connection (Win+Linux), and Windows file_event.

20 new atomic firing tests (52 total) — scripts under tests/atomic/atomics/ + manifest.json entries — for every rule on a channel the CI harness reliably exercises.

Pack + catalog wiring: all 7 pack.yml manifests updated (rules, attack_coverage, telemetry_requirements); Windows Essential reaches the target composition from §7 of the backlog. 23 ATT&CK techniques added to tools/attack_techniques.json (catalog builds with 0 warnings).

Design notes

  • test_status respects the coverage gate (--check-coverage --strict-essential runs on every push). Essentials are atomic (with scripts) or manual + test_reason. Channels the harness doesn't reliably exercise on hosted runners — wmi_event, image_load, network_connection, ps_script, Linux history-delete — are manual + reason. macOS is none (excluded from the gate, matching existing convention).
  • Registry rules match the value name in TargetObject or Details (Rustinel reports TargetObject as the key path without the value name), and their atomics create a key whose path ends in the value name — same idiom as the existing WDigest/Defender rules.
  • Linux Image|endswith atomics copy /bin/sh to a temp subdir with the exact tool basename (<dir>/nc, not ..._nc) and run it with -c 'sleep 1' <tokens> so the process lives long enough for /proc command-line enrichment.

Checks (all green locally)

validate.py · build_packs.py · build_catalog.py (0 warnings) · ruff check · ruff format --check · ty check · run_atomics.py --check-coverage --strict-essential.

The P2/P3 atomic firing tests only execute end-to-end on the Windows/Linux CI runners. A few new rules use the windash modifier and cidr/Signed fields, which are documented in rustinel-support.md but not yet used by any pre-existing rule — worth watching the atomic workflow for any load-time rejection.

Karib0u added 4 commits July 9, 2026 22:26
Implement the RULES_BACKLOG.md detection set across all three waves.

Rules (37 new artifacts):
- Windows Sigma (15): WMI subscription, bcdedit/wbadmin recovery tamper,
  fsutil USN wipe, Procdump LSASS, IFEO/SilentProcessExit, Winlogon helper,
  sc/net security-service stop, AMSI bypass, unmanaged PowerShell, netsh
  portproxy, bitsadmin download, startup-folder drop, LOLBin outbound,
  unsigned-DLL sideload (hunting), recon-command burst (hunting)
- Linux Sigma (11): nc/socat exec shell, kmod from susp path, duplicate-UID-0
  account, shell outbound, history tamper, log clear, chmod suid, udev
  persistence, webshell write, base64-pipe-shell, security-service stop
- macOS Sigma (5): TCC.db access, browser credential theft, ssh
  authorized_keys, launchctl load, history tamper
- YARA (6): Windows XMRig, msfvenom (ELF+PE), Sliver (ELF+PE), Cobalt Strike

Atomic firing tests (20 new): scripts + manifest entries for every rule on a
channel the harness reliably exercises. New/uncertain channels (wmi_event,
image_load, network_connection, ps_script, Linux file-delete) are test_status
manual with a test_reason; macOS is none per existing convention.

Packs: all 7 manifests updated (rules, attack_coverage, telemetry_requirements);
Windows Essential reaches the target composition. Added 23 ATT&CK techniques to
tools/attack_techniques.json so the catalog builds with no warnings.

validate.py, build_packs.py, build_catalog.py, ruff, ty, and the
--check-coverage --strict-essential gate all pass.
…n-rules

# Conflicts:
#	packs/linux/advanced/pack.yml
#	packs/linux/essential/pack.yml
#	packs/macos/advanced/pack.yml
#	packs/macos/essential/pack.yml
#	packs/windows/advanced/pack.yml
#	packs/windows/essential/pack.yml
#	packs/windows/hunting/pack.yml
#	tests/atomic/manifest.json
…sfvenom yara into pack

The 6 linux process_creation atomics ran the copied shell as `sh -c 'sleep 1'`
with the detection tokens as trailing args. Because dash/bash tail-exec a
single `-c` command, the process replaced itself with `sleep 1` before /proc
command-line enrichment ran, dropping both its Image (nc/insmod/useradd/...)
and the detection tokens, so the CommandLine-keyed rules never fired. Use
'sleep 1; :' so the shell no longer tail-execs and lives ~1s as itself.

Also add yara-win-msfvenom-stager to the windows-essential pack (it was only
wired on linux), so the windows_msfvenom_yara_fixture atomic has a rule to
match.
…dowing

The engine emits one Sigma alert per process event (check_event returns the
first matching rule). Running the renamed nc/insmod/useradd/journalctl/chmod/
systemctl copies from /tmp meant the broad 'Execution from World-Writable /
Temporary Directory' rule matched first and shadowed the specific rule, which
was never returned (confirmed via engine logs: the 6 rules never even logged as
triggered, while world-writable fired on those exact /tmp events).

Stage the copies under /opt instead (root-writable, not world-writable), so
each specific rule is the sole match and fires. This also better mirrors reality
where these tools live in system bin dirs, not /tmp.
@Karib0u Karib0u merged commit 6a43dd3 into main Jul 9, 2026
5 checks passed
@Karib0u Karib0u deleted the feat/backlog-detection-rules branch July 9, 2026 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant