@blamejs/exceptd-skills 0.12.23 → 0.12.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. package/AGENTS.md +12 -4
  2. package/CHANGELOG.md +190 -3
  3. package/README.md +14 -1
  4. package/bin/exceptd.js +584 -166
  5. package/data/_indexes/_meta.json +31 -31
  6. package/data/_indexes/activity-feed.json +45 -45
  7. package/data/_indexes/catalog-summaries.json +19 -19
  8. package/data/_indexes/chains.json +320 -0
  9. package/data/_indexes/currency.json +9 -9
  10. package/data/_indexes/frequency.json +39 -2
  11. package/data/_indexes/jurisdiction-clocks.json +2 -2
  12. package/data/_indexes/jurisdiction-map.json +3 -1
  13. package/data/_indexes/section-offsets.json +396 -396
  14. package/data/_indexes/summary-cards.json +3 -3
  15. package/data/_indexes/token-budget.json +73 -73
  16. package/data/atlas-ttps.json +491 -19
  17. package/data/attack-techniques.json +198 -84
  18. package/data/cve-catalog.json +1309 -9
  19. package/data/exploit-availability.json +300 -10
  20. package/data/framework-control-gaps.json +395 -1
  21. package/data/global-frameworks.json +44 -19
  22. package/data/playbooks/containers.json +1 -1
  23. package/data/playbooks/crypto-codebase.json +1 -1
  24. package/data/playbooks/framework.json +1 -1
  25. package/data/playbooks/hardening.json +1 -1
  26. package/data/playbooks/library-author.json +1 -1
  27. package/data/playbooks/secrets.json +25 -1
  28. package/data/rfc-references.json +93 -1
  29. package/data/zeroday-lessons.json +475 -13
  30. package/lib/auto-discovery.js +26 -2
  31. package/lib/exit-codes.js +72 -0
  32. package/lib/flag-suggest.js +130 -0
  33. package/lib/id-validation.js +95 -0
  34. package/lib/lint-skills.js +68 -1
  35. package/lib/playbook-runner.js +321 -46
  36. package/lib/prefetch.js +113 -0
  37. package/lib/refresh-external.js +190 -8
  38. package/lib/refresh-network.js +35 -8
  39. package/lib/schemas/cve-catalog.schema.json +31 -4
  40. package/lib/schemas/playbook.schema.json +51 -0
  41. package/lib/scoring.js +41 -0
  42. package/lib/upstream-check-cli.js +16 -1
  43. package/lib/upstream-check.js +9 -0
  44. package/lib/verify.js +20 -4
  45. package/manifest-snapshot.json +1 -1
  46. package/manifest-snapshot.sha256 +1 -1
  47. package/manifest.json +59 -59
  48. package/package.json +8 -2
  49. package/sbom.cdx.json +6 -6
  50. package/scripts/check-test-coverage.js +67 -0
  51. package/scripts/verify-shipped-tarball.js +9 -0
  52. package/skills/ai-attack-surface/skill.md +11 -2
  53. package/skills/ai-c2-detection/skill.md +3 -1
  54. package/skills/ai-risk-management/skill.md +3 -1
  55. package/skills/api-security/skill.md +4 -0
  56. package/skills/attack-surface-pentest/skill.md +1 -0
  57. package/skills/container-runtime-security/skill.md +3 -1
  58. package/skills/dlp-gap-analysis/skill.md +1 -1
  59. package/skills/exploit-scoring/skill.md +2 -2
  60. package/skills/incident-response-playbook/skill.md +1 -1
  61. package/skills/kernel-lpe-triage/skill.md +6 -1
  62. package/skills/mcp-agent-trust/skill.md +7 -2
  63. package/skills/mlops-security/skill.md +1 -1
  64. package/skills/rag-pipeline-security/skill.md +4 -2
  65. package/skills/sector-financial/skill.md +1 -1
  66. package/skills/skill-update-loop/skill.md +1 -1
  67. package/skills/supply-chain-integrity/skill.md +3 -1
  68. package/skills/threat-model-currency/skill.md +1 -1
  69. package/skills/webapp-security/skill.md +2 -0
  70. package/skills/zeroday-gap-learn/skill.md +2 -2
package/data/attack-techniques.json CHANGED
@@ -1,10 +1,13 @@
1
1
  {
2
2
  "_meta": {
3
3
  "schema_version": "1.0.0",
4
- "last_updated": "2026-05-13",
5
- "attack_version": "17",
6
- "attack_version_date": "2025-06-25",
7
- "source": "https://attack.mitre.org — MITRE ATT&CK Enterprise + ICS. Only techniques currently referenced by shipped exceptd skills and playbooks. The full ATT&CK matrix (~700 techniques) is intentionally not duplicated here; this is a resolution catalog for cross-reference validation, not a substitute for attack.mitre.org. See `npm run refresh-attack-techniques` (v0.13.0+) for the full corpus.",
4
+ "last_updated": "2026-05-15",
5
+ "last_threat_review": "2026-05-15",
6
+ "attack_version": "19.0",
7
+ "attack_version_date": "2026-04-28",
8
+ "tactic_split_note": "ATT&CK v19 split Defense Evasion (TA0005) into Stealth (TA0005) and Defense Impairment (TA0112). Entries here record their post-split tactic; entries whose tactic moved carry `tactic_moved_from: \"Defense Evasion\"` for traceability.",
9
+ "detection_strategies_note": "ATT&CK v18 introduced Detection Strategies as first-class objects (691 strategies, 1739 analytics at v18 release). Entries reference applicable strategy IDs (DSxxxx) where the technique has canonical strategy coverage; absence does not imply lack of detection.",
10
+ "source": "https://attack.mitre.org — MITRE ATT&CK Enterprise + ICS, v19.0 (April 2026). Only techniques currently referenced by shipped exceptd skills and playbooks. The full ATT&CK matrix is intentionally not duplicated here; this is a resolution catalog for cross-reference validation, not a substitute for attack.mitre.org. See `npm run refresh-attack-techniques` (v0.13.0+) for the full corpus.",
8
11
  "tlp": "CLEAR",
9
12
  "source_confidence": {
10
13
  "scheme": "Admiralty (A-F + 1-6)",
@@ -15,325 +18,436 @@
15
18
  "default_review_cadence_days": 90,
16
19
  "stale_after_days": 180,
17
20
  "rebuild_after_days": 365,
18
- "note": "Catalog must be rebuilt against the upstream ATT&CK release whenever MITRE publishes a new version. AGENTS.md hard rule #8 requires the bump to be intentional, not silent."
21
+ "note": "Catalog must be rebuilt against the upstream ATT&CK release whenever MITRE publishes a new version. AGENTS.md external-data version-pinning rule requires the bump to be intentional, not silent. ATT&CK ships semi-annually (April + October); audit on each release for tactic moves, technique splits, and new Detection Strategies."
19
22
  }
20
23
  },
21
24
  "T0001": {
22
25
  "name": "Authority Spoof",
23
- "version": "v17"
26
+ "version": "v19"
24
27
  },
25
28
  "T0017": {
26
29
  "name": "Spearphishing Attachment (ICS)",
27
- "version": "v17"
30
+ "version": "v19"
28
31
  },
29
32
  "T0051": {
30
33
  "name": "Position Tampering",
31
- "version": "v17"
34
+ "version": "v19"
32
35
  },
33
36
  "T0096": {
34
37
  "name": "Remote System Discovery (ICS)",
35
- "version": "v17"
38
+ "version": "v19"
36
39
  },
37
40
  "T0853": {
38
41
  "name": "Scripting",
39
- "version": "v17"
42
+ "version": "v19"
40
43
  },
41
44
  "T0855": {
42
45
  "name": "Unauthorized Command Message",
43
- "version": "v17"
46
+ "version": "v19"
44
47
  },
45
48
  "T0867": {
46
49
  "name": "Lateral Tool Transfer",
47
- "version": "v17",
50
+ "version": "v19",
48
51
  "domain": "ICS"
49
52
  },
50
53
  "T0883": {
51
54
  "name": "Internet Accessible Device",
52
- "version": "v17"
55
+ "version": "v19"
53
56
  },
54
57
  "T1021": {
55
58
  "name": "Remote Services",
56
- "version": "v17"
59
+ "version": "v19"
57
60
  },
58
61
  "T1027": {
59
62
  "name": "Obfuscated Files or Information",
60
- "version": "v17"
63
+ "version": "v19",
64
+ "tactic": "Stealth",
65
+ "tactic_moved_from": "Defense Evasion",
66
+ "tactic_id": "TA0005",
67
+ "detection_strategies": ["DS0009"]
61
68
  },
62
69
  "T1040": {
63
70
  "name": "Network Sniffing",
64
- "version": "v17"
71
+ "version": "v19"
65
72
  },
66
73
  "T1041": {
67
74
  "name": "Exfiltration Over C2 Channel",
68
- "version": "v17"
75
+ "version": "v19"
69
76
  },
70
77
  "T1053.003": {
71
78
  "name": "Scheduled Task/Job: Cron",
72
- "version": "v17"
79
+ "version": "v19"
73
80
  },
74
81
  "T1055": {
75
82
  "name": "Process Injection",
76
- "version": "v17"
83
+ "version": "v19"
77
84
  },
78
85
  "T1059": {
79
86
  "name": "Command and Scripting Interpreter",
80
- "version": "v17"
87
+ "version": "v19",
88
+ "tactic": "Execution",
89
+ "detection_strategies": ["DS0009", "DS0017"]
81
90
  },
82
91
  "T1059.001": {
83
92
  "name": "Command and Scripting Interpreter: PowerShell",
84
- "version": "v17"
93
+ "version": "v19"
85
94
  },
86
95
  "T1059.006": {
87
96
  "name": "Command and Scripting Interpreter: Python",
88
- "version": "v17"
97
+ "version": "v19"
89
98
  },
90
99
  "T1059.007": {
91
100
  "name": "Command and Scripting Interpreter: JavaScript",
92
- "version": "v17"
101
+ "version": "v19"
93
102
  },
94
103
  "T1068": {
95
104
  "name": "Exploitation for Privilege Escalation",
96
- "version": "v17"
105
+ "version": "v19"
97
106
  },
98
107
  "T1071": {
99
108
  "name": "Application Layer Protocol",
100
- "version": "v17"
109
+ "version": "v19"
101
110
  },
102
111
  "T1078": {
103
112
  "name": "Valid Accounts",
104
- "version": "v17"
113
+ "version": "v19"
105
114
  },
106
115
  "T1078.001": {
107
116
  "name": "Valid Accounts: Default Accounts",
108
- "version": "v17"
117
+ "version": "v19"
109
118
  },
110
119
  "T1078.002": {
111
120
  "name": "Valid Accounts: Domain Accounts",
112
- "version": "v17"
121
+ "version": "v19"
113
122
  },
114
123
  "T1078.003": {
115
124
  "name": "Valid Accounts: Local Accounts",
116
- "version": "v17"
125
+ "version": "v19"
117
126
  },
118
127
  "T1078.004": {
119
128
  "name": "Valid Accounts: Cloud Accounts",
120
- "version": "v17"
129
+ "version": "v19"
121
130
  },
122
131
  "T1098": {
123
132
  "name": "Account Manipulation",
124
- "version": "v17"
133
+ "version": "v19"
125
134
  },
126
135
  "T1102": {
127
136
  "name": "Web Service",
128
- "version": "v17"
137
+ "version": "v19"
129
138
  },
130
139
  "T1110": {
131
140
  "name": "Brute Force",
132
- "version": "v17"
141
+ "version": "v19"
133
142
  },
134
143
  "T1110.001": {
135
144
  "name": "Brute Force: Password Guessing",
136
- "version": "v17"
145
+ "version": "v19"
137
146
  },
138
147
  "T1133": {
139
148
  "name": "External Remote Services",
140
- "version": "v17"
149
+ "version": "v19"
141
150
  },
142
151
  "T1136.001": {
143
152
  "name": "Create Account: Local Account",
144
- "version": "v17"
153
+ "version": "v19"
145
154
  },
146
155
  "T1190": {
147
156
  "name": "Exploit Public-Facing Application",
148
- "version": "v17"
157
+ "version": "v19"
149
158
  },
150
159
  "T1195": {
151
160
  "name": "Supply Chain Compromise",
152
- "version": "v17"
161
+ "version": "v19"
153
162
  },
154
163
  "T1195.001": {
155
164
  "name": "Supply Chain Compromise: Software Dependencies and Development Tools",
156
- "version": "v17"
165
+ "version": "v19"
157
166
  },
158
167
  "T1195.002": {
159
168
  "name": "Supply Chain Compromise: Software Supply Chain",
160
- "version": "v17"
169
+ "version": "v19"
161
170
  },
162
171
  "T1199": {
163
172
  "name": "Trusted Relationship",
164
- "version": "v17"
173
+ "version": "v19"
165
174
  },
166
175
  "T1203": {
167
176
  "name": "Exploitation for Client Execution",
168
- "version": "v17"
177
+ "version": "v19"
169
178
  },
170
179
  "T1212": {
171
180
  "name": "Exploitation for Credential Access",
172
- "version": "v17"
181
+ "version": "v19"
173
182
  },
174
183
  "T1213": {
175
184
  "name": "Data from Information Repositories",
176
- "version": "v17"
185
+ "version": "v19"
177
186
  },
178
187
  "T1485": {
179
188
  "name": "Data Destruction",
180
- "version": "v17"
189
+ "version": "v19"
181
190
  },
182
191
  "T1486": {
183
192
  "name": "Data Encrypted for Impact",
184
- "version": "v17"
193
+ "version": "v19",
194
+ "tactic": "Impact",
195
+ "detection_strategies": ["DS0007", "DS0011"]
185
196
  },
186
197
  "T1505": {
187
198
  "name": "Server Software Component",
188
- "version": "v17"
199
+ "version": "v19"
189
200
  },
190
201
  "T1518": {
191
202
  "name": "Software Discovery",
192
- "version": "v17"
203
+ "version": "v19"
193
204
  },
194
205
  "T1525": {
195
206
  "name": "Implant Internal Image",
196
- "version": "v17"
207
+ "version": "v19"
197
208
  },
198
209
  "T1528": {
199
210
  "name": "Steal Application Access Token",
200
- "version": "v17"
211
+ "version": "v19"
201
212
  },
202
213
  "T1530": {
203
214
  "name": "Data from Cloud Storage",
204
- "version": "v17"
215
+ "version": "v19"
205
216
  },
206
217
  "T1543": {
207
218
  "name": "Create or Modify System Process",
208
- "version": "v17"
219
+ "version": "v19"
209
220
  },
210
221
  "T1546": {
211
222
  "name": "Event Triggered Execution",
212
- "version": "v17"
223
+ "version": "v19"
213
224
  },
214
225
  "T1547": {
215
226
  "name": "Boot or Logon Autostart Execution",
216
- "version": "v17"
227
+ "version": "v19"
217
228
  },
218
229
  "T1548.001": {
219
230
  "name": "Abuse Elevation Control Mechanism: Setuid and Setgid",
220
- "version": "v17"
231
+ "version": "v19"
221
232
  },
222
233
  "T1548.003": {
223
234
  "name": "Abuse Elevation Control Mechanism: Sudo and Sudo Caching",
224
- "version": "v17"
235
+ "version": "v19"
225
236
  },
226
237
  "T1552": {
227
238
  "name": "Unsecured Credentials",
228
- "version": "v17"
239
+ "version": "v19"
229
240
  },
230
241
  "T1552.001": {
231
242
  "name": "Unsecured Credentials: Credentials In Files",
232
- "version": "v17"
243
+ "version": "v19"
233
244
  },
234
245
  "T1552.004": {
235
246
  "name": "Unsecured Credentials: Private Keys",
236
- "version": "v17"
247
+ "version": "v19"
237
248
  },
238
249
  "T1552.005": {
239
250
  "name": "Unsecured Credentials: Cloud Instance Metadata API",
240
- "version": "v17"
251
+ "version": "v19"
241
252
  },
242
253
  "T1552.007": {
243
254
  "name": "Unsecured Credentials: Container API",
244
- "version": "v17"
255
+ "version": "v19"
245
256
  },
246
257
  "T1554": {
247
258
  "name": "Compromise Host Software Binary",
248
- "version": "v17"
259
+ "version": "v19"
249
260
  },
250
261
  "T1555": {
251
262
  "name": "Credentials from Password Stores",
252
- "version": "v17"
263
+ "version": "v19"
253
264
  },
254
265
  "T1556": {
255
266
  "name": "Modify Authentication Process",
256
- "version": "v17"
267
+ "version": "v19",
268
+ "tactic": "Credential Access",
269
+ "detection_strategies": ["DS0002"]
257
270
  },
258
271
  "T1557": {
259
272
  "name": "Adversary-in-the-Middle",
260
- "version": "v17"
273
+ "version": "v19"
261
274
  },
262
275
  "T1562.001": {
263
276
  "name": "Impair Defenses: Disable or Modify Tools",
264
- "version": "v17"
277
+ "version": "v19",
278
+ "tactic": "Defense Impairment",
279
+ "tactic_moved_from": "Defense Evasion",
280
+ "tactic_id": "TA0112",
281
+ "detection_strategies": ["DS0017", "DS0022"]
265
282
  },
266
283
  "T1562.006": {
267
284
  "name": "Impair Defenses: Indicator Blocking",
268
- "version": "v17"
285
+ "version": "v19",
286
+ "tactic": "Defense Impairment",
287
+ "tactic_moved_from": "Defense Evasion",
288
+ "tactic_id": "TA0112",
289
+ "detection_strategies": ["DS0017"]
269
290
  },
270
291
  "T1565": {
271
292
  "name": "Data Manipulation",
272
- "version": "v17"
293
+ "version": "v19"
273
294
  },
274
295
  "T1566": {
275
296
  "name": "Phishing",
276
- "version": "v17"
297
+ "version": "v19"
277
298
  },
278
299
  "T1566.001": {
279
300
  "name": "Phishing: Spearphishing Attachment",
280
- "version": "v17"
301
+ "version": "v19"
281
302
  },
282
303
  "T1566.002": {
283
304
  "name": "Phishing: Spearphishing Link",
284
- "version": "v17"
305
+ "version": "v19"
285
306
  },
286
307
  "T1566.003": {
287
308
  "name": "Phishing: Spearphishing via Service",
288
- "version": "v17"
309
+ "version": "v19"
289
310
  },
290
311
  "T1567": {
291
312
  "name": "Exfiltration Over Web Service",
292
- "version": "v17"
313
+ "version": "v19"
293
314
  },
294
315
  "T1568": {
295
316
  "name": "Dynamic Resolution",
296
- "version": "v17"
317
+ "version": "v19"
297
318
  },
298
319
  "T1570": {
299
320
  "name": "Lateral Tool Transfer",
300
- "version": "v17",
321
+ "version": "v19",
301
322
  "domain": "Enterprise"
302
323
  },
303
324
  "T1573": {
304
325
  "name": "Encrypted Channel",
305
- "version": "v17"
326
+ "version": "v19"
306
327
  },
307
328
  "T1574": {
308
329
  "name": "Hijack Execution Flow",
309
- "version": "v17"
330
+ "version": "v19"
310
331
  },
311
332
  "T1574.005": {
312
333
  "name": "Hijack Execution Flow: Executable Installer File Permissions Weakness",
313
- "version": "v17"
334
+ "version": "v19"
314
335
  },
315
336
  "T1595": {
316
337
  "name": "Active Scanning",
317
- "version": "v17"
338
+ "version": "v19"
318
339
  },
319
340
  "T1600": {
320
341
  "name": "Weaken Encryption",
321
- "version": "v17"
342
+ "version": "v19"
322
343
  },
323
344
  "T1606.001": {
324
345
  "name": "Forge Web Credentials: Web Cookies",
325
- "version": "v17"
346
+ "version": "v19"
326
347
  },
327
348
  "T1610": {
328
349
  "name": "Deploy Container",
329
- "version": "v17"
350
+ "version": "v19"
330
351
  },
331
352
  "T1611": {
332
353
  "name": "Escape to Host",
333
- "version": "v17"
354
+ "version": "v19",
355
+ "tactic": "Privilege Escalation",
356
+ "detection_strategies": ["DS0009", "DS0029"]
334
357
  },
335
358
  "T1613": {
336
359
  "name": "Container and Resource Discovery",
337
- "version": "v17"
360
+ "version": "v19"
361
+ },
362
+ "T1480.002": {
363
+ "name": "Execution Guardrails: Mutual Exclusion",
364
+ "version": "v19",
365
+ "tactic": "Stealth",
366
+ "tactic_id": "TA0005",
367
+ "added_in": "v19",
368
+ "detection_strategies": ["DS0009"]
369
+ },
370
+ "T1480.003": {
371
+ "name": "Execution Guardrails: Mutex Lock",
372
+ "version": "v19",
373
+ "tactic": "Stealth",
374
+ "tactic_id": "TA0005",
375
+ "added_in": "v19",
376
+ "detection_strategies": ["DS0009"]
377
+ },
378
+ "T1059.013": {
379
+ "name": "Command and Scripting Interpreter: Cloud API",
380
+ "version": "v19",
381
+ "tactic": "Execution",
382
+ "added_in": "v18",
383
+ "detection_strategies": ["DS0017", "DS0025"]
384
+ },
385
+ "T1556.007": {
386
+ "name": "Modify Authentication Process: Hybrid Identity",
387
+ "version": "v19",
388
+ "tactic": "Credential Access",
389
+ "added_in": "v18",
390
+ "detection_strategies": ["DS0002", "DS0028"]
391
+ },
392
+ "T1486.004": {
393
+ "name": "Data Encrypted for Impact: Data Theft Before Encryption",
394
+ "version": "v19",
395
+ "tactic": "Impact",
396
+ "added_in": "v19",
397
+ "detection_strategies": ["DS0007", "DS0011", "DS0029"]
398
+ },
399
+ "T1682": {
400
+ "name": "Query Public AI Services",
401
+ "version": "v19",
402
+ "tactic": "Reconnaissance",
403
+ "added_in": "v19",
404
+ "detection_strategies": ["DS0029"]
405
+ },
406
+ "T1683": {
407
+ "name": "Generate Content",
408
+ "version": "v19",
409
+ "tactic": "Resource Development",
410
+ "added_in": "v19",
411
+ "detection_strategies": ["DS0029"]
412
+ },
413
+ "T1685": {
414
+ "name": "Disable or Modify Tools",
415
+ "version": "v19",
416
+ "tactic": "Defense Impairment",
417
+ "tactic_id": "TA0112",
418
+ "added_in": "v19",
419
+ "detection_strategies": ["DS0017", "DS0022"]
420
+ },
421
+ "T1686": {
422
+ "name": "Disable or Modify System Firewall",
423
+ "version": "v19",
424
+ "tactic": "Defense Impairment",
425
+ "tactic_id": "TA0112",
426
+ "added_in": "v19",
427
+ "detection_strategies": ["DS0017"]
428
+ },
429
+ "T1687": {
430
+ "name": "Exploitation for Defense Impairment",
431
+ "version": "v19",
432
+ "tactic": "Defense Impairment",
433
+ "tactic_id": "TA0112",
434
+ "added_in": "v19",
435
+ "detection_strategies": ["DS0009"]
436
+ },
437
+ "T1689": {
438
+ "name": "Downgrade Attack",
439
+ "version": "v19",
440
+ "tactic": "Defense Impairment",
441
+ "tactic_id": "TA0112",
442
+ "added_in": "v19",
443
+ "detection_strategies": ["DS0029"]
444
+ },
445
+ "T1690": {
446
+ "name": "Prevent Command History Logging",
447
+ "version": "v19",
448
+ "tactic": "Defense Impairment",
449
+ "tactic_id": "TA0112",
450
+ "added_in": "v19",
451
+ "detection_strategies": ["DS0017"]
338
452
  }
339
453
  }