{"feed_format":"jiffy-mitre-coverage-v1","generated_at":"2026-05-02T13:31:39.283Z","source":"https://jiffylabs.app/docs-public/jiffy-review-methodology","notes":"Rule ids beginning with MS- come from the Sprint 25 MalSkills SSO co-occurrence taxonomy. Rules with empty techniques are LLM-specific (prompt injection, jailbreak, stego) and have no core ATT&CK fit — they map to MITRE ATLAS AML.T0051 instead.","tactic_count":8,"technique_count":27,"rule_count":37,"rules_with_mapping":31,"rules_llm_specific":6,"technique_names":{"T1027":"Obfuscated Files or Information","T1027.004":"Obfuscated Files or Information: Compile After Delivery","T1041":"Exfiltration Over C2 Channel","T1048":"Exfiltration Over Alternative Protocol","T1053.003":"Scheduled Task/Job: Cron","T1059.004":"Command and Scripting Interpreter: Unix Shell","T1059.006":"Command and Scripting Interpreter: Python","T1071":"Application Layer Protocol","T1090":"Proxy","T1098":"Account Manipulation","T1098.004":"Account Manipulation: SSH Authorized Keys","T1105":"Ingress Tool Transfer","T1133":"External Remote Services","T1140":"Deobfuscate/Decode Files or Information","T1195":"Supply Chain Compromise","T1195.002":"Supply Chain Compromise: Compromise Software Supply Chain","T1485":"Data Destruction","T1539":"Steal Web Session Cookie","T1543.001":"Create or Modify System Process: Launch Agent","T1543.004":"Create or Modify System Process: Launch Daemon","T1547.011":"Boot or Logon Autostart Execution: Plist Modification","T1547":"Boot or Logon Autostart Execution","T1552":"Unsecured Credentials","T1552.001":"Unsecured Credentials: Credentials In Files","T1552.004":"Unsecured Credentials: Private Keys","T1555":"Credentials from Password Stores","T1562":"Impair Defenses","T1562.001":"Impair Defenses: Disable or Modify Tools","T1567":"Exfiltration Over Web Service"},"tactic_names":{"TA0001":"Initial Access","TA0002":"Execution","TA0003":"Persistence","TA0005":"Defense Evasion","TA0006":"Credential Access","TA0009":"Collection","TA0010":"Exfiltration","TA0011":"Command and Control","TA0040":"Impact"},"techniques":[{"id":"T1027","name":"Obfuscated Files or Information","tactics":["TA0002","TA0005","TA0010"],"covering_rules":["MS-B64-PAYLOAD-030","MS-CRYPTO-EXFIL-010","MS-OBFUS-EXEC-002","MS-PAYLOAD-LEN-016"]},{"id":"T1027.004","name":"Obfuscated Files or Information: Compile After Delivery","tactics":["TA0002","TA0005"],"covering_rules":["MS-DYN-IMPORT-027"]},{"id":"T1041","name":"Exfiltration Over C2 Channel","tactics":["TA0005","TA0006","TA0010","TA0011"],"covering_rules":["MS-CRED-NET-001","MS-CRYPTO-EXFIL-010","MS-ENV-NET-004","MS-MULTIART-011","MS-NET-EGRESS-015"]},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","tactics":["TA0010"],"covering_rules":["MS-ARCHIVE-NET-014"]},{"id":"T1053.003","name":"Scheduled Task/Job: Cron","tactics":["TA0003"],"covering_rules":["MS-PERSIST-007"]},{"id":"T1059.004","name":"Command and Scripting Interpreter: Unix Shell","tactics":["TA0001","TA0002","TA0005","TA0011","TA0040"],"covering_rules":["MS-CURL-BASH-012","MS-OBFUS-EXEC-002","MS-RM-RF-034","MS-SC-PKG-003","MS-SHELL-TRUE-036"]},{"id":"T1059.006","name":"Command and Scripting Interpreter: Python","tactics":["TA0002","TA0005","TA0011"],"covering_rules":["MS-DYN-IMPORT-027","MS-EVAL-NET-009","MS-SHELL-TRUE-036"]},{"id":"T1071","name":"Application Layer Protocol","tactics":["TA0001","TA0010","TA0011"],"covering_rules":["MS-BIND-ALL-035","MS-NET-EGRESS-015"]},{"id":"T1090","name":"Proxy","tactics":["TA0005","TA0011"],"covering_rules":["MS-MODEL-OVERRIDE-006"]},{"id":"T1098.004","name":"Account Manipulation: SSH Authorized Keys","tactics":["TA0003"],"covering_rules":["MS-SSH-008"]},{"id":"T1105","name":"Ingress Tool Transfer","tactics":["TA0002","TA0011"],"covering_rules":["MS-CURL-BASH-012","MS-EVAL-NET-009"]},{"id":"T1133","name":"External Remote Services","tactics":["TA0001","TA0005","TA0011"],"covering_rules":["MS-BIND-ALL-035","MS-MCP-BROAD-022"]},{"id":"T1140","name":"Deobfuscate/Decode Files or Information","tactics":["TA0002","TA0005"],"covering_rules":["MS-OBFUS-EXEC-002"]},{"id":"T1195.002","name":"Supply Chain Compromise: Compromise Software Supply Chain","tactics":["TA0001","TA0002"],"covering_rules":["MS-SC-PKG-003","MS-UNPINNED-023"]},{"id":"T1485","name":"Data Destruction","tactics":["TA0002","TA0040"],"covering_rules":["MS-RM-RF-034"]},{"id":"T1539","name":"Steal Web Session Cookie","tactics":["TA0006"],"covering_rules":["MS-BROWSER-ARTIFACT-025"]},{"id":"T1543.001","name":"Create or Modify System Process: Launch Agent","tactics":["TA0003"],"covering_rules":["MS-AUTORUN-013","MS-MCP-HOOK-029","MS-PERSIST-007"]},{"id":"T1543.004","name":"Create or Modify System Process: Launch Daemon","tactics":["TA0003"],"covering_rules":["MS-PERSIST-007"]},{"id":"T1547","name":"Boot or Logon Autostart Execution","tactics":["TA0003"],"covering_rules":["MS-MCP-HOOK-029"]},{"id":"T1547.011","name":"Boot or Logon Autostart Execution: Plist Modification","tactics":["TA0003"],"covering_rules":["MS-AUTORUN-013"]},{"id":"T1552","name":"Unsecured Credentials","tactics":["TA0006","TA0010"],"covering_rules":["MS-CONN-STRING-018","MS-ENV-NET-004","MS-HARDCODED-SECRET-017","MS-TOKEN-URL-024"]},{"id":"T1552.001","name":"Unsecured Credentials: Credentials In Files","tactics":["TA0006","TA0010"],"covering_rules":["MS-CRED-NET-001","MS-MULTIART-011"]},{"id":"T1552.004","name":"Unsecured Credentials: Private Keys","tactics":["TA0006"],"covering_rules":["MS-PEM-KEY-019"]},{"id":"T1555","name":"Credentials from Password Stores","tactics":["TA0006"],"covering_rules":["MS-BROWSER-ARTIFACT-025"]},{"id":"T1562","name":"Impair Defenses","tactics":["TA0001","TA0005","TA0011"],"covering_rules":["MS-MCP-BROAD-022","MS-MODEL-OVERRIDE-006"]},{"id":"T1562.001","name":"Impair Defenses: Disable or Modify Tools","tactics":["TA0005"],"covering_rules":["MS-DANGER-FLAG-031","MS-EMPTY-PERMS-026","MS-WILDCARD-TOOLS-032"]},{"id":"T1567","name":"Exfiltration Over Web Service","tactics":["TA0006","TA0010"],"covering_rules":["MS-ARCHIVE-NET-014","MS-MULTIART-011"]}],"mappings":{"MS-CRED-NET-001":{"techniques":["T1552.001","T1041"],"tactics":["TA0006","TA0010"],"rationale":"Reads credential files and exfiltrates over C2-style POST."},"MS-OBFUS-EXEC-002":{"techniques":["T1027","T1140","T1059.004"],"tactics":["TA0005","TA0002"],"rationale":"Deobfuscate-then-execute pattern (base64 decode into shell)."},"MS-SC-PKG-003":{"techniques":["T1195.002","T1059.004"],"tactics":["TA0001","TA0002"],"rationale":"Unpinned install followed by execution — classic supply-chain."},"MS-ENV-NET-004":{"techniques":["T1552","T1041"],"tactics":["TA0006","TA0010"],"rationale":"Reads secret-shaped env var and exfiltrates externally."},"MS-PI-005":{"techniques":[],"tactics":[],"rationale":"LLM-specific prompt injection — no core ATT&CK fit. See MITRE ATLAS AML.T0051 (LLM Prompt Injection)."},"MS-MODEL-OVERRIDE-006":{"techniques":["T1090","T1562"],"tactics":["TA0011","TA0005"],"rationale":"Redirects model provider URL via env var — proxies LLM traffic and impairs the reviewer."},"MS-PERSIST-007":{"techniques":["T1053.003","T1543.001","T1543.004"],"tactics":["TA0003"],"rationale":"Installs cron / launchctl / systemd persistence."},"MS-SSH-008":{"techniques":["T1098.004"],"tactics":["TA0003"],"rationale":"Generates SSH keypair for lateral persistence / authorized-keys abuse."},"MS-EVAL-NET-009":{"techniques":["T1059.006","T1105"],"tactics":["TA0002","TA0011"],"rationale":"Dynamic eval on a remote payload — RCE over ingress tool transfer."},"MS-CRYPTO-EXFIL-010":{"techniques":["T1027","T1041"],"tactics":["TA0005","TA0010"],"rationale":"Encrypts sensitive file contents before exfil."},"MS-MULTIART-011":{"techniques":["T1552.001","T1041","T1567"],"tactics":["TA0006","TA0010"],"rationale":"Multi-artifact exfil: declarative artifact orchestrates code-side credential read + POST."},"MS-CURL-BASH-012":{"techniques":["T1059.004","T1105"],"tactics":["TA0002","TA0011"],"rationale":"curl|bash pipes remote payload directly to a shell."},"MS-AUTORUN-013":{"techniques":["T1547.011","T1543.001"],"tactics":["TA0003"],"rationale":"Writes to launch-agent / autostart location for boot persistence."},"MS-ARCHIVE-NET-014":{"techniques":["T1048","T1567"],"tactics":["TA0010"],"rationale":"Archives data into a bundle then POSTs externally — alt-protocol exfil."},"MS-NET-EGRESS-015":{"techniques":["T1041","T1071"],"tactics":["TA0010","TA0011"],"rationale":"Generic outbound POST/GET to external URL — exfil channel surrogate."},"MS-PAYLOAD-LEN-016":{"techniques":["T1027"],"tactics":["TA0005"],"rationale":"Very large operand value — potential payload smuggling via obfuscation."},"MS-HARDCODED-SECRET-017":{"techniques":["T1552"],"tactics":["TA0006"],"rationale":"Live-mode secret / credential embedded directly."},"MS-CONN-STRING-018":{"techniques":["T1552"],"tactics":["TA0006"],"rationale":"Database conn string with embedded password."},"MS-PEM-KEY-019":{"techniques":["T1552.004"],"tactics":["TA0006"],"rationale":"Embedded PEM private key."},"MS-STEGO-020":{"techniques":[],"tactics":[],"rationale":"Zero-width / bidi character stego targeting LLM tokenization — no core ATT&CK fit. See MITRE ATLAS AML.T0051."},"MS-JAILBREAK-021":{"techniques":[],"tactics":[],"rationale":"LLM-specific jailbreak / persona override — no core ATT&CK fit. See MITRE ATLAS AML.T0051."},"MS-MCP-BROAD-022":{"techniques":["T1562","T1133"],"tactics":["TA0005","TA0001"],"rationale":"Wildcard / auto-hook MCP config enables untrusted servers — broadens external-remote-service surface."},"MS-UNPINNED-023":{"techniques":["T1195.002"],"tactics":["TA0001"],"rationale":"Unpinned git-based install — software supply chain compromise vector."},"MS-TOKEN-URL-024":{"techniques":["T1552"],"tactics":["TA0006"],"rationale":"Credential embedded in URL (git clone with $TOKEN)."},"MS-BROWSER-ARTIFACT-025":{"techniques":["T1539","T1555"],"tactics":["TA0006"],"rationale":"Reads browser cookies / login DB / history — web session theft."},"MS-EMPTY-PERMS-026":{"techniques":["T1562.001"],"tactics":["TA0005"],"rationale":"Empty permissions block — skill grants itself unrestricted access, disabling controls."},"MS-DYN-IMPORT-027":{"techniques":["T1027.004","T1059.006"],"tactics":["TA0005","TA0002"],"rationale":"Dynamic import / Function constructor loads unreviewed modules at runtime."},"MS-BYPASS-028":{"techniques":[],"tactics":[],"rationale":"LLM-specific content-side bypass instruction — no core ATT&CK fit. See MITRE ATLAS AML.T0051."},"MS-MCP-HOOK-029":{"techniques":["T1547","T1543.001"],"tactics":["TA0003"],"rationale":"MCP PreToolUse / PostToolUse auto-hook — persistence on every tool invocation."},"MS-B64-PAYLOAD-030":{"techniques":["T1027"],"tactics":["TA0005"],"rationale":"Long base64 literal — likely smuggled payload."},"MS-DANGER-FLAG-031":{"techniques":["T1562.001"],"tactics":["TA0005"],"rationale":"yolo / skip-permissions / disable-sandbox flags disable the reviewer."},"MS-WILDCARD-TOOLS-032":{"techniques":["T1562.001"],"tactics":["TA0005"],"rationale":"Wildcard-allowed tools / empty disallow list — self-grants unrestricted access."},"MS-JSON-INJECT-033":{"techniques":[],"tactics":[],"rationale":"JSON-injection escape targeting LLM output parsing — no core ATT&CK fit. See MITRE ATLAS AML.T0051."},"MS-RM-RF-034":{"techniques":["T1485","T1059.004"],"tactics":["TA0040","TA0002"],"rationale":"Destructive rm -rf of root / home / wildcard."},"MS-BIND-ALL-035":{"techniques":["T1133","T1071"],"tactics":["TA0001","TA0011"],"rationale":"Service binds 0.0.0.0 — exposes external remote service."},"MS-SHELL-TRUE-036":{"techniques":["T1059.004","T1059.006"],"tactics":["TA0002"],"rationale":"subprocess shell=True with user input — command injection."},"MS-HTML-INJECT-037":{"techniques":[],"tactics":[],"rationale":"HTML-comment-hidden system/prompt override — LLM-specific, no core ATT&CK fit. See MITRE ATLAS AML.T0051."}}}