Skip to content

SAF-T1004: reconcile SAF tactic, strengthen example, add diagram, verify refs#216

Open
fkautz wants to merge 1 commit into
secure-agentic-framework:mainfrom
fkautz:fix/saf-t1004-review
Open

SAF-T1004: reconcile SAF tactic, strengthen example, add diagram, verify refs#216
fkautz wants to merge 1 commit into
secure-agentic-framework:mainfrom
fkautz:fix/saf-t1004-review

Conversation

@fkautz

@fkautz fkautz commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Summary

Addresses the SAF-T1004 (Server Impersonation / Name-Collision) review (scored 85.8, merge-with-minor-revisions). Detection rule unchanged (still 12/12).

  • Tactic/taxonomy (priority): the Overview declared ATT&CK tactics (Credential Access + Collection) while the framework index files SAF-T1004 under Initial Access. Set the Overview SAF tactic back to Initial Access (ATK-TA0001) to match the index, and moved the Credential Access / Collection framing into a note in the MITRE ATT&CK Mapping section where T1557's tactics belong.
  • Example Scenario: expanded from one registry record to the actual name collision (legitimate vs. attacker record) with the resolution step, mapped to Attack-Flow stages 2-4 and to the detection selections.
  • Visual aid: added a discovery-hijack flow diagram (DNS + rogue DHCP + ARP + registry).
  • Verification: confirmed the odr.exe Microsoft Learn reference is real ("Windows on-device agent registry" CLI with odr mcp add/list/remove), plus the Server Cards roadmap, JRC DNSSEC report, and Internet Society DNSSEC maps (2021 snapshot) by content.
  • Fixed the non-resolving detection-rule references URL (SAF-MCP -> secure-agentic-framework); gave attack-flow stage 6 a stated pivot mechanism; softened "dangerous"; normalized author-name casing.

Test

python3 techniques/SAF-T1004/test_detection_rule.py
# Test Summary: 12/12 tests passed (100.0%)

🤖 Generated with Claude Code

…ify refs

Address the SAF-T1004 review (scored 85.8, merge-with-minor-revisions):

- Tactic/taxonomy: the Overview declared ATT&CK tactics (Credential Access +
  Collection) while the framework index files SAF-T1004 under Initial Access.
  Set the Overview SAF tactic back to Initial Access (ATK-TA0001) to match the
  index, and moved the Credential Access / Collection framing into the MITRE
  ATT&CK Mapping section where T1557's tactics belong.
- Example Scenario: expanded from a single registry record to the actual name
  collision (legitimate vs. attacker record) with the resolution step, mapped to
  Attack-Flow stages 2-4 and to the detection selections.
- Added a discovery-hijack flow diagram (DNS + ARP/DHCP + registry) and gave
  attack-flow stage 6 a stated pivot mechanism.
- Verified the odr.exe Microsoft Learn reference (real: "Windows on-device agent
  registry" CLI with odr mcp add/list/remove), plus the Server Cards roadmap and
  JRC DNSSEC citations, by content.
- Fixed the non-resolving detection-rule references URL (SAF-MCP ->
  secure-agentic-framework) in both the shipped file and the synced README copy.
- Softened "dangerous"; normalized Version-History author casing.

Detection rule unchanged (still 12/12, all selections exercised).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Frederick F. Kautz IV <fkautz@alumni.cmu.edu>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant